I've a server with openSSL 0.9.8zc, that browser can access to it. I'm trying to protect the server from POODLE attack, by disable SSLv3 from openSSL The server is build in MSDEV 2005 I've modified the file: openssl\Configure and add to the section: "my %disabled = ", the two following lines:
"ssl2" => "default",
"ssl3" => "default",
Then compile again the openssl module. checking the build outout, I verified that many build objects were not created, which is good. for example: s2_clnt.obj, ssl_algs.obj, t1_clnt.obj, kssl.obj, d1_both.obj, bio_ssl.obj, and more...
BUT, when try to open a connection to the server from a browser IE6 sp3 (where the only protocol configure there from the advanced tab option is sslv3), the connection to the server is done using sslv3, although the server supposed to have sslv3 disabled.
Does the openssl sslv3 disable, need to be done different ? What is the set of action that I need to be done before build the openssl, in order to disable the sslv3?