Forum OpenACS Development: SSLv2 on config.tcl
The aolserver's config.tcl on cvs has the following lines on the nsopenssl users section:
ns_param Protocols "SSLv3, TLSv1"
ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
It seems inconsistent to not allow SSLv2 protocol and add it explicitely on the CipherSuite line (+SSLv2).
Is there any reason for that? SSLv2 is an older version of the protocol with known security issues, such as a susceptibility to Man In the Middle attacks, so disabling it is fine. I think the CipherSuite line should look like that (!SSLv2 explicitely disables the protocol):
ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP"
I'd like to change it on cvs, but I think it's better to ask here before doing it :)