[openssl-dev] [openssl.org #3625] Enhancement request: user convenience for SSL_CONF_CTX with SSLv2
Stephen Henson via RT
rt at openssl.org
Tue Dec 9 14:33:33 UTC 2014
On Mon Dec 08 19:58:31 2014, sdaoden at yandex.com wrote:
> Commit [45f55f6] (Remove SSLv2 support, 2014-11-30) completely
> removed SSLv2 support and the commit message states "The only
> support for SSLv2 left is receiving a SSLv2 compatible client
> hello".
>
> If people start using SSL_CONF_CTX as they are supposed to with
> v1.0.2, then it can be expected that users start using strings
> like, e.g. (from my thing),
>
> set ssl-protocol="ALL,-SSLv2"
>
> This results in the obvious problem that when they (get)
> upgrade(d) their OpenSSL library they will see a completely
> intransparent error message that no normal user will understand:
>
> SSL_CONF_CTX_cmd() failed:\
> error:1414E180:SSL routines:SSL_CONF_CTX_cmd:bad value
>
> (Ah ja, my _CTX_ diff also works in practice.)
> I think it would be much better if at least a user request to
> explicitly disable SSLv2 is silently ignored.
> Another option would be to enhance the error message, of course...
>
If you print out the additional error data it should also indicate which
command and value it is objecting to, though it will only say it doesn't like
the whole string and not the specific part of it it is rejecting.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list