Welcome! Log In Create A New Profile

Advanced

Cipher selected based on TLS version in ClientHello

Posted by nifer 
Cipher selected based on TLS version in ClientHello
December 13, 2012 06:08PM
Hi

First a disclaimer, I am not a professional SSL/TLS-dude :)

From what I gather, with TLS 1.0 and the BEAST attack, only non-CBC-mode ciphers (i.e. RC4) are still "secure".
TLS 1.1 mitigated that attack vector.

Consider a case when the server needs to support TLS 1.0 and TLS 1.1:
As far as I understand it, there's now way to configure the server to only allow the RC4-ciphers for TLS 1.0 and still allow the CBC-mode ciphers for TLS 1.1.

As per the TLS RFC's, shouldn't it be possible since the first message (ClientHello) in the handshake contains all the protocol versions and ciphers the client supports?

Checked mod_ssl and mod_gnutls for the unmentionable and it seems like they can't do it either.

Cheers!
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 84
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready