@end float
Unless the initial keyword is "NONE" the defaults (in preference
-order) are for TLS protocols TLS 1.2, TLS1.1, TLS1.0, SSL3.0; for
+order) are for TLS protocols TLS 1.2, TLS1.1, TLS1.0; for
compression NULL; for certificate types X.509.
In key exchange algorithms when in NORMAL or SECURE levels the
perfect forward secrecy algorithms take precedence of the other
COMP-NULL, COMP-DEFLATE. Catch all is COMP-ALL.
@item TLS versions @tab
-VERS-SSL3.0, VERS-TLS1.0, VERS-TLS1.1,
-VERS-TLS1.2, VERS-DTLS1.2, VERS-DTLS1.0.
+VERS-TLS1.0, VERS-TLS1.1, VERS-TLS1.2,
+VERS-DTLS1.0, VERS-DTLS1.2.
Catch all is VERS-TLS-ALL and VERS-DTLS-ALL.
@item Signature algorithms @tab
Specifying the defaults except ARCFOUR-128:
"NORMAL:-ARCFOUR-128"
-Enabling the 128-bit secure ciphers, while disabling SSL 3.0 and enabling compression:
- "SECURE128:-VERS-SSL3.0:+COMP-DEFLATE"
+Enabling the 128-bit secure ciphers, while disabling TLS 1.0 and enabling compression:
+ "SECURE128:-VERS-TLS1.0:+COMP-DEFLATE"
Enabling the 128-bit and 192-bit secure ciphers, while disabling all TLS versions
except TLS 1.2:
NORMAL:%COMPAT
@end verbatim
-For broken peers that do not tolerate TLS version numbers over TLS 1.0
+For very old broken peers that do not tolerate TLS version numbers over TLS 1.0
another priority string is:
@verbatim
NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT