Bruce,
I have 2 SSL related questions.
1. I was looking at OpenSSL and noticed there have been many updates and bug fixes for the dll's, yet NT is still shipping with the 2007 version. I lightly tested the June 2010 version 1.0.0.0a and it worked without any problems with my NT5 web server. Is there any reason I shouldn't use the newer version?
2. One of my clients notified me regarding a recent security audit that included an NT5 webserver. The audit indicated that while SSL3 was being used, SSL2 was also available. Meaning that they could force my server to respond using SSL2. SSL2 has many known security issues and has been replaced by SSL3 years ago. Since my app would respond to requests over SSL2, my app is potentially at risk for all those hacks. So my question is..... can you provide a property that a developer could set to restrict SSL to a specific version. For security purposes, this should probably be set by default. In my reading they said that unless you are using IE4, you should be using SSL3. So defaulting to the newer version shouldn't affect to many users. Having said all that, I don't entirely know what I am talking about so if something stated above is incorrect I apologize.
Thank You,
David
Topic: SSL - Questions for Bruce (Read 3030 times)