1) No, there is no priority. It works like this: The client announces to the server the highest TLS/SSL version it supports (this is specified by client.Settings.SslAllowedVersions
). The server either accepts this or asks the client to use a lower version instead. In that case, the client only uses the lower version if the TlsVersion
mask actually allows it as well (otherwise, the connection fails).
However, please note that TlsVersion.Any
is not the default value in Rebex components. Currently, the SSL-enabled components (FTP, IMAP, POP3 or SMTP) use the following value for client.Settings.SslAllowedVersions
by default:
TlsVersion.TLS11 | TlsVersion.TLS10
This means - use TLS 1.1 if possible, otherwise allow TLS 1.0.
Please note that this used to be TlsVersion.TLS10 | TlsVersion.SSL30
until versions 2014 R2. We removed SSL 3.0 from the list because it is no longer considered secure enough and it's susceptible to POODLE attack (it can still be enabled if needed), and we added TLS 1.1 because it's already widely supported. In the next release, we will add TLS 1.2 support as well.
So to sum it up - it you are using the latest version of Rebex components, it's usually the best to use the default for SslAllowedVersions
. If you specified TlsVersion.Any
, you would also enable SSL 3.0, which is no longer considered secure and should only be used if it's the only version the server supports (which is very rare).
2) Yes, there is a priority here. When you choose TlsCiphetSuite.Secure, the following ciphers will be enabled. They are sorted by priority - the topmost algorithm that happens to be supported both by the client and the server will be used:
- DHE_RSA_WITH_AES_128_CBC_SHA
- DHE_RSA_WITH_AES_256_CBC_SHA
- RSA_WITH_AES_128_CBC_SHA
- RSA_WITH_AES_256_CBC_SHA
- DHE_DSS_WITH_AES_128_CBC_SHA
- DHE_DSS_WITH_AES_256_CBC_SHA
- DHE_RSA_WITH_3DES_EDE_CBC_SHA
- RSA_WITH_3DES_EDE_CBC_SHA
- DHE_DSS_WITH_3DES_EDE_CBC_SHA
- RSA_WITH_RC4_128_SHA
- DHE_DSS_WITH_RC4_128_SHA
Please note that this will change in the next release as well - we are adding support for SHA-256 based ciphers.