On Tue, Dec 02, 2014 at 08:34:50AM -0800, Darren Pilgrim wrote:
On 12/1/2014 9:44 PM, Will Yardley wrote:
On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote:
On 12/1/2014 4:43 PM, Will Yardley wrote:
Can you use both ssl_protocols *and* ssl_cipher_list in the same config (in a way that's sane)?
Yes to both. If you need to support older clients:
But why does ssl_protocols behave differently depending on if $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient?
It seems that if ssl_cipher_list is defined, ssl_protocols = !SSLv2 !SSLv3
results in TLS1.2 being the only one active, but if it is defined, 1.0, 1.1, and 1.2 are all active?
Where are you see this behaviour? What tool is reporting this?
I have mostly been testing with nmap, e.g., nmap -p 993 --script ssl-enum-ciphers [target]
This then breaks down the ciphers by protocol suite. I'll test with your ssl_cipher_list example and see if it's reproducible.
w