[openssl-dev] [openssl.org #3625] Enhancement request: user convenience for SSL_CONF_CTX with SSLv2
Steffen Nurpmeso via RT
rt at openssl.org
Mon Dec 8 18:58:31 UTC 2014
Commit [45f55f6] (Remove SSLv2 support, 2014-11-30) completely
removed SSLv2 support and the commit message states "The only
support for SSLv2 left is receiving a SSLv2 compatible client
hello".
If people start using SSL_CONF_CTX as they are supposed to with
v1.0.2, then it can be expected that users start using strings
like, e.g. (from my thing),
set ssl-protocol="ALL,-SSLv2"
This results in the obvious problem that when they (get)
upgrade(d) their OpenSSL library they will see a completely
intransparent error message that no normal user will understand:
SSL_CONF_CTX_cmd() failed:\
error:1414E180:SSL routines:SSL_CONF_CTX_cmd:bad value
(Ah ja, my _CTX_ diff also works in practice.)
I think it would be much better if at least a user request to
explicitly disable SSLv2 is silently ignored.
Another option would be to enhance the error message, of course...
--steffen
More information about the openssl-dev
mailing list