[Pkg-openssl-devel] Bug#765565: Bug#765565: Bug#765565: openssl: don't completely disable ssl3/2 but rather just don't use it

[Kurt Roeckx]

On Fri, Oct 17, 2014 at 07:02:48PM +0200, Kurt Roeckx wrote:
> On Fri, Oct 17, 2014 at 04:47:57PM +0100, Robin Bailey wrote:
> >   Supported Server Cipher(s):
> > Accepted  SSLv3    256 bits  AES256-SHA
> > Accepted  SSLv3    128 bits  AES128-SHA
> > Accepted  SSLv3    128 bits  RC4-SHA
> > Accepted  SSLv3    112 bits  DES-CBC3-SHA
> 
> SSLv3 is supposed to be completly disabled, but it seems it's not.

So I can't actually reproduce this.  Are you sure this in not some
bug in the tool?  I can only get it to negiotate those ciphers
with TLS >= 1.0.  Please note that the cipher is supported by
SSLv3, and "openssl ciphers -v" will show it as SSLv3, but that
doesn't mean it can't be used with TLS.


Kurt