Timo Sirainen wrote:
So I guess what happens is that OpenSSL advertises that it supports SSLv2. But then the ssl_cipher_list's !SSLv2 doesn't let the SSLv2 handshake actually go through. So it's not really possible to use SSLv2. You can verify this with:
openssl s_client -ssl2 -connect localhost:995
CONNECTED(00000003) depth=0 /C=US/ST=California/L=Mountain View/O=Out of the Box Computing/CN=ootbcomp.com verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=California/L=Mountain View/O=Out of the Box Computing/CN=ootbcomp.com verify return:1 10171:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:
So you're saying that because the last line shows the cipher list stopping it, then the security problems with sslv2 can't bite me?
Patrick