[openssl-users] About no-ssl2
Richard Moore
richmoore44 at gmail.com
Wed Mar 16 23:21:10 UTC 2016
On 16 March 2016 at 22:58, Viktor Dukhovni <openssl-users at dukhovni.org>
wrote:
> On Wed, Mar 16, 2016 at 10:52:39PM +0000, Richard Moore wrote:
>
> > On 16 March 2016 at 22:39, Viktor Dukhovni <openssl-users at dukhovni.org>
> > wrote:
> >
> > > On Wed, Mar 16, 2016 at 11:32:28PM +0100, Michel wrote:
> > > OpenSSL 1.1.0 has no vestigial SSLv2 code, and so nothing to disable
> > > with OPENSSL_NO_SSL2. The "OPENSSL_NO_..." macros specify disabled
> > > features, not deleted code.
> > >
> >
> > That's the major flaw of the current design of flagging when features
> are
> > disabled rather than when they're present. I'm sure you'll get plenty
> more
> > reports like this.
>
> Use feature probing via autoconf, or just:
>
> #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_NO_SSL2)
> /* SSLv2 available */
> #else
> /* SSLv2 not available */
> #endif
>
> Better yet, drop support for SSLv2, and then you don't care whether OpenSSL
> provides it or not.
>
>
SSL2 is simply an example of this issue, the same applies to others eg. it
will no doubt occur in future for NPN since ALPN has replaced it.
The problem is the concept itself since it will require every app to have
coded into it when a given feature was removed should it attempt to support
it when present.
Rich.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160316/5dbfdb07/attachment.html>
More information about the openssl-users
mailing list