This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author naif
Recipients gregory.p.smith, naif, pitrou
Date 2011-12-19.12:52:59
SpamBayes Score 0.0066342303
Marked as misclassified No
Message-id <1324299180.03.0.495012472007.issue13636@psf.upfronthosting.co.za>
In-reply-to
Content 
To disable SSLv2 you must specifically disable it.

Look, i tried a server we're working on http://github.com/hellais/tor2web that's running on:

privacyresearch.infosecurity.ch port 8888

With 'HIGH:!aNULL:!eNULL' SSLv2 can connect:

openssl s_client -connect  privacyresearch.infosecurity.ch:8888 -ssl2

SSLv2, Cipher is DES-CBC3-MD5

So it negotiated SSLv2 with 3DES that's not a good choice, SSLv2 must be disabled.

We must disable SSLv1 with !SSLv2, for example i am using just now 'HIGH:!aNULL:!eNULL:!SSLv2:@STRENGTH' .

Trying to connect with SSLv2 fail:
openssl s_client -connect  privacyresearch.infosecurity.ch:8888 -ssl2
140735092141340:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:

Trying to connect by default, it select a strong cipher (i still didn't setup the dh/stuff):

openssl s_client -connect  privacyresearch.infosecurity.ch:8888

Connect with: TLSv1/SSLv3, Cipher is AES256-SHA
History
Date User Action Args
2011-12-19 12:53:00naifsetrecipients: + naif, gregory.p.smith, pitrou
2011-12-19 12:53:00naifsetmessageid: <1324299180.03.0.495012472007.issue13636@psf.upfronthosting.co.za>
2011-12-19 12:52:59naiflinkissue13636 messages
2011-12-19 12:52:59naifcreate