From: Jamie C. <jca...@we...> - 2007-03-27 20:01:21
|
On 27/Mar/2007 08:07 Dave Isaacs wrote .. > We have had some complaints that the miniserv web server supports SSL > 2.0, which is considered a weak encryption protocol. Looking into this > I discovered the ssl_version configuration setting in miniserv.conf, so I > specified ssl_version=10. This should have specified to support only > TLS version 1.0. I then restarted webmin. > > To test this out I disabled TLS and SSL 3.0 support on my Firefox, > Netscape, and IE7 browsers. Firefox reacts as expected: it will not > connect to the webmin server. But Netscape and IE7 both still connect, > and show SSL 2.0 as the protocol being used. > > Have I misinterpreted the use of the ssl_version setting? Or is there a > bug in the use of SSLeay that still allows unselected ssl versions to be > used (though that wouldn't explain why Firefox is behaving). Hi Dave, The ssl_version option should set the version that SSLeay will accept only. Unfortunately I don't know what it does internally with this setting, but the docs say that it should work :-) > Thanks > > Dave Isaacs > > BTW, the customer in question is using Webmin 1.290 (they can't upgrade > until later this year). I don't know if that makes a difference? Version 1.290 does support this option in just the same way as later versions.. - Jamie |