Forum OpenACS Development: SSLv2 on config.tcl

Posted by Héctor Romojaro on

The aolserver's config.tcl on cvs has the following lines on the nsopenssl users section:

ns_param Protocols "SSLv3, TLSv1"
ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"

It seems inconsistent to not allow SSLv2 protocol and add it explicitely on the CipherSuite line (+SSLv2).

Is there any reason for that? SSLv2 is an older version of the protocol with known security issues, such as a susceptibility to Man In the Middle attacks, so disabling it is fine. I think the CipherSuite line should look like that (!SSLv2 explicitely disables the protocol):

ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP"

I'd like to change it on cvs, but I think it's better to ask here before doing it :)

Cheers, Héctor