Welcome! Log In Create A New Profile


Cipher selected based on TLS version in ClientHello

Posted by nifer 
Cipher selected based on TLS version in ClientHello
December 13, 2012 06:08PM

First a disclaimer, I am not a professional SSL/TLS-dude :)

From what I gather, with TLS 1.0 and the BEAST attack, only non-CBC-mode ciphers (i.e. RC4) are still "secure".
TLS 1.1 mitigated that attack vector.

Consider a case when the server needs to support TLS 1.0 and TLS 1.1:
As far as I understand it, there's now way to configure the server to only allow the RC4-ciphers for TLS 1.0 and still allow the CBC-mode ciphers for TLS 1.1.

As per the TLS RFC's, shouldn't it be possible since the first message (ClientHello) in the handshake contains all the protocol versions and ciphers the client supports?

Checked mod_ssl and mod_gnutls for the unmentionable and it seems like they can't do it either.

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 265
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready