[openssl-dev] [openssl.org #3728] Question: does "sslv3" in log mean we're using SSLv3?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sat Mar 7 17:56:36 UTC 2015
On Thu 2015-03-05 08:58:10 -0800, Matt Caswell via RT wrote:
> On Thu Mar 05 17:42:49 2015, richard.c.paterson at sas.com wrote:
>> Apologies if this is the incorrect forum for this question.
>>
>> We’re
>> seeing error messages like SSL3_READ_BYTES and
>> SSL3_GET_SERVER_CERTIFICATE for some reason;
>>
>> -
>> SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>
>> -
>> SSL£_GET_BYTES:sslv3 alert handshake failure
>>
>> However, we believe
>> that we have disabled the use of SSLv3. Does the presence of
>> “SSL3_” in the logs indicate that we are still using SSLv3 and not
>> TLS like we think?
>
> No. These are just the names of internal functions. Originally written when it
> was just a choice of ssl2 or ssl3 they were subsequently reused for TLS - but
> the names have remained the same.
Is there a plan to change this in any subsequent release? This kind of
misleading debugging information seems likely to confuse people. I
understand that knowledgable users and developers might be used to
seeing these exact strings, but fixing them to provide correct
information is probably better for the entire community in the
long-term.
--dkg
More information about the openssl-dev
mailing list