Re: [openssl-security] Openssl Vulnerability detected

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-security] Openssl Vulnerability detected

Viktor Dukhovni


> On Dec 22, 2017, at 7:03 AM, Salz, Rich <[hidden email]> wrote:
>
> Having said that, the answer is upgrade to a supported version, ideally 1.1.0

A better answer is typically to deploy the latest patched version from the
platform vendor.  And to not enable SSLv2 or SSLv3.  Most applications
support configurable cipher strings.  If one wants to disable DES and 3DES
just set the cipherstring to:

        DEFAULT:!3DES:!LOW:!EXPORT

plus any other desired exclusions.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users