Am 12.12.2011 16:57, schrieb Michal Trojnara:
Markus Borst wrote:
I want client and server to _NEGOTIATE_ a "higher" protocol.
fips = no sslVersion = all options = NO_SSLv2
According to my tests it does exactly what you want.
Mike
Sorry for the late reply. Yes, thanks, this combination does indeed work. Older ssl client can connect and use either sslv3 or tlsv1. I would have thought that this would be default behaviour, but there are probably reasons to do it otherwise.
Since the use of these options in this combination is not clear from the documentation, I have a few suggestions to update the docs: - explain what fips does (not the whole specification, just which methods and ciphers are disabled) - clearly state which methods (SSL, TLS, ciphers) are used by default, with or without fips. - explain the "options = NO_SSLv2" option. Currently, it is not even mentioned. As a longer term enhancement, I suggest making the "sslVersion" option multi-valued: Currently, I can only select one of the three, or all three, but not just two out of three. (I.e., what will we do when a TLSv2 comes around?)
And the above configuration should go as an example into the default config file, since this particular combination ("sslVersion=all" AND "options=NO_SSLv2") ist a bit counter intuitive.
Greetings Markus Borst