[openssl-dev] [openssl.org #3625] Enhancement request: user convenience for SSL_CONF_CTX with SSLv2
Steffen Nurpmeso
sdaoden at yandex.com
Tue Dec 9 11:11:34 UTC 2014
"Kurt Roeckx via RT" <rt at openssl.org> wrote:
|On Mon, Dec 08, 2014 at 07:58:31PM +0100, Steffen Nurpmeso via RT wrote:
|> set ssl-protocol="ALL,-SSLv2"
|>
|> This results in the obvious problem that when they (get)
|> upgrade(d) their OpenSSL library they will see a completely
|> intransparent error message that no normal user will understand:
|
|It was actually my intention to keep supporting that, but I seem
|to have removed that line. I think the following patch should fix
|that:
|--- a/ssl/ssl_conf.c
|+++ b/ssl/ssl_conf.c
|@@ -333,6 +333,7 @@ static int cmd_Protocol(SSL_CONF_CTX *cctx,
|const char *value)
| static const ssl_flag_tbl ssl_protocol_list[] =
| {
| SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK),
|+ SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2),
| SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3),
| SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1),
| SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
Sure, since SSL_OP_NO_SSLv2 still exists as 0x0L as i see know.
--steffen
More information about the openssl-dev
mailing list