I've been banging my head against my desk far too long on this, and couldn't figure anything out, so hence my question.
When using OpenSSL, how can I disable certain ciphers, disable certain versions (SSLv2), and perhaps how to enable only certain ciphers? In the 'Network Security with OpenSSL' book, it states that SSL will usually use the first cipher in a list to make the connection with. When I run 'openssl ciphers -v' I get a long unordered list of ciphers. When I make a connection using something like: 'openssl s_client -connect host:port, in the output I can see that I am connecting with DES_CBC3-SHA. If I then "think" I am setting the cipher list by issuing a command like this: "openssl ciphers -v 'SSLv3+HIGH:TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:@STRENGTH'" , and then try the connect command again, I can see I am using the same cipher.
The driving force for this is that I need to remediate a number of hosts that were flagged during a recent vulnerability scan with findings similar to 'SSL Medium Cipher Suite Supported", or "SSL v2 Detected", and "SSL Weak Cipher Suite Supported". I have a list of specific ciphers that the scanner didn't like, and would like to disable those. Is that possible with OpenSSL? I thought it might be kept in the openssl.cnf file, but that seems to be more related to issuing certificates. I would like to know: how to enable/disable specific ciphers so that only those selected/enabled will be used, and how to disable SSLv2.
I would tremendously appreciate any help on this.