Disallowing ssl2

John Almberg jalmberg at identry.com
Tue Nov 11 07:30:33 PST 2008

> It's certainly possible to insist on SSLv3 or TLSv1 for SSL  
> connections,
> and nothing[*] will break.  The client and server will negotiate to  
> find a
> mutually acceptable cipher and protocol level at the point of  
> making the
> connection.

This seems to be less painful than I was anticipating... Besides  
apache, I had to figure out how to boost the security on IMAP and POP  
3 connections. I'm using Courier, so this was pretty simple... just  
added the following to the imap and pop ssl config files:


I'm going to resubmit the server... hopefully it will pass this time.

But I wonder why the defaults for Apache and Courier are to accept  
SSL 2, if it is so problematical?

-- John

More information about the freebsd-questions mailing list