[openssl-dev] [openssl.org #4612] Appcrash on SSL_CTX_new(SSLv2_server_method()) on windows 7 x64 with OpenSSL-1.0.1t

Viktor Kolodrevskiy via RT rt at openssl.org
Wed Aug 3 15:12:22 UTC 2016 

Hi,

If I want to enable ssl2 under windows build, will need to pass parameters:
    no-asm enable-ssl2 -DOPENSSL_USE_IPV6=0 VC-WIN32

So if I will need to build openssl under linux, parameters should be:
    no-asm enable-ssl2 -DOPENSSL_USE_IPV6=0

Is that right?


> On Jul 11, 2016, at 20:20, Kurt Cancemi via RT <rt at openssl.org> wrote:
> 
> Hello,
> 
> In 1.0.1s OpenSSL disabled SSLv2 by default in the build. So use perl Configure no-asm enable-ssl2 -DOPENSSL_USE_IPV6=0 VC-WIN32
> 
> Excerpt from CHANGES
> 
> "Changes between 1.0.1r and 1.0.1s [1 Mar 2016]"
>> Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
>    is by default disabled at build-time.  Builds that are not configured with
>    "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
>    users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
>    will need to explicitly call either of:
> 
>        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
>    or
>        SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
> 
>    as appropriate.  Even if either of those is used, or the application
>    explicitly uses the version-specific SSLv2_method() or its client and
>    server variants, SSLv2 ciphers vulnerable to exhaustive search key
>    recovery have been removed.  Specifically, the SSLv2 40-bit EXPORT
>    ciphers, and SSLv2 56-bit DES are no longer available.
>    (CVE-2016-0800)”
> 
> I highly advise you to stay clear of SSLv2 as it has numerous flaws. You are receiving crashes because SSLv2_server_method() returns NULL and SSL_CTX_new() returns NULL because the input argument (the server method) is NULL. You should check the return value of SSL_CTX_new() no matter what because it can fail.
> 
> Kurt Cancemi
> kurt at x64architecture.com
> 
>> On Jul 11, 2016, at 08:10, Dmytro Shamatrin via RT <rt at openssl.org> wrote:
>> 
>> Appcrash on SSL_CTX_new(SSLv2_server_method()) on windows 7 x64 with OpenSSL-1.0.1t
>> 
>> After upgrade from OpenSSL-1.0.1L version to 1.0.1t we got Appcrash on windows machine. After investigation I found that it started to happen after R version. 
> 
> 
> -- 
> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4612 <http://rt.openssl.org/Ticket/Display.html?id=4612>
> Please log in as guest with password guest if prompted
> 
> -- 
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev <https://mta.openssl.org/mailman/listinfo/openssl-dev>

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4612
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list