[stunnel-users] Problem with sslv2 clients

• Previous message (by thread): [stunnel-users] Problem with sslv2 clients
• Next message (by thread): [stunnel-users] Problem with sslv2 clients
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am 12.12.2011 16:57, schrieb Michal Trojnara:
> Markus Borst wrote:
>> I want client and server to _NEGOTIATE_ a "higher" protocol.
>
> fips = no
> sslVersion = all
> options = NO_SSLv2
>
> According to my tests it does exactly what you want.
>
> Mike

Sorry for the late reply. Yes, thanks, this combination does indeed 
work. Older ssl client can connect and use either sslv3 or tlsv1. I 
would have thought that this would be default behaviour, but there are 
probably reasons to do it otherwise.

Since the use of these options in this combination is not clear from the 
documentation, I have a few suggestions to update the docs:
   - explain what fips does (not the whole specification, just which 
methods and ciphers are disabled)
   - clearly state which methods (SSL, TLS, ciphers) are used by 
default, with or without fips.
   - explain the "options = NO_SSLv2" option. Currently, it is not even 
mentioned.
As a longer term enhancement, I suggest making the "sslVersion" option 
multi-valued: Currently, I can only select one of the three, or all 
three, but not just two out of three. (I.e., what will we do when a 
TLSv2 comes around?)


And the above configuration should go as an example into the default 
config file, since this particular combination ("sslVersion=all" AND 
"options=NO_SSLv2") ist a bit counter intuitive.

Greetings
Markus Borst

• Previous message (by thread): [stunnel-users] Problem with sslv2 clients
• Next message (by thread): [stunnel-users] Problem with sslv2 clients
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]