[WEB SECURITY] SSL Server Options - Ciphers

hector gmail.sant9442 at winserver.com
Sun Jul 5 06:38:05 EDT 2009

Paul Johnston wrote:

> Hi,
>> Now, in my internal testing with openssl s_client -ssl2 -connect host:443
>>  and with IE and Firefox by forcing them to [X] Use SSLv2 only,   the
>> testing seem to work.  No successful SSL negotiation and connection was
>> made.
> What I have seen with some devices (Cisco SCA) is that if the
> protocol/cipher is disabled, an SSL connection is still made, but the
> device then only returns a page that explains the cipher is disabled.
> The PCI scan company at first reported this as failing - their tool
> was just seeing the established connection, and not recognizing that
> it's just an error page. When I challenged this, they agreed that this
> arrangement is compliant with the spirit of PCI - a CC number will
> never go over the weak cipher. They updated their tool and noted us as
> compliant.
> Now, I'm not sure this is the same issue you've seen - you indicate no
> SSL connection was made at all. But it's quite a similar issue, so may
> be relevant.

Hi Paul,

What I now know is that if I use SSLv3 at the protocol level, this was 
the setting I was using and seeing a no connection with IE and FireFox 
going into an infinite busy state.  I wondered if that was normal or not.

When SSLv2/SSLv3 is used, along with the proper cipher to remove SSLv2 
and low bit lengths, then FF and IE both show a fast negative 
response.  Openssl s_client shows a connect, one block write and no 
more handshaking.

I guess it make sense for the server protocol to be open to 
SSLv2/SSLv3 and then let the C/S cipher negotiate the SSLv3 only 



Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list