I'm curious why you would want to limit it to TLS only? As far as I can tell the TLS, SSL3, and SSL2 just define a way to negotiate with the client so they can agree on an encryption protocol to use and some options to enable (see 'OpenSSL_Options'). There are a number of other more subtle differences but I think the REAL question is which encryption protocols you want to support! That is controlled by 'OpenSSL_Ciphers = DEFAULT:!LOW:!EXPORT' which I have set up to ban the lamest ciphers by default...
Fair warning, if you limit OpenSSL to TLS you also limit FXP connections to other servers to TLS only. Sometimes that is OK and other times it might not be, don't be surprised if FXP transfers have issues.
In the future maybe I'll add support for FXP only settings, but right now the control connection and data transfer share the same context because of host fingerprinting, tickets, etc.
|