Hi everyone,

i am planning to support SSLv3 and TLSv1.2 on the same Port via SNI. This has backwards-compatibility reasons.
 
Using the "sslversion=SSLv3" or "options=NO_SSLv3" directives affect all services. The default and the SNI.
I was not able to use e.g. sslversion=SSLv3 for the default host and change to sslversion=TLSv1.2 on the SNI host.
The first sslversion directive read per conf-file seems to be set and may not be changed with later invocations, right?

So I ended up with restricting the SSLv3 / TLSv1.2 via ciphers only.
So the default service has SSLv3 ciphers and options=NO_SSLv2, the SNI service hast TLS1.2 ciphers only (thus only accepts TLSv1.2 connections)

When testing, i was not able to connect with SSLv3 settings on the SNI service or vice versa for the default service- just what i wanted.

What are your opinions on security drawbacks with that approach?

Are cipher restrictions sufficient to sort out old SSLvX protocols and sort of FORCE TLS1.2 only?
Is it possible to use some SSLvX based negotiations prior to cipher-negotiation on the SNI-TLS1.2 service, because i did not explicitly use sslversion=TLS1.2 directive?

The configuration would look like (simplified)

[s1default]
#sslVersion=SSLv3
ciphers= SSLv3-ciphers-only
accept = 127.0.0.1:1234
connect = 127.0.0.1:21234

[s1sni]
#sslVersion=TLSv1.2
ciphers = TLS1.2-ciphers-only
sni = s1default:s1sni.example.com
accept = 127.0.0.1:2345
connect = 127.0.0.1:22345

I would be glad if you could share your opinions

Best Regards,
Michael

 


______________________________________________________
powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet.