[openssl-dev] [openssl.org #4330] Unsupported options: no-ssl2
noloader@gmail.com via RT
rt at openssl.org
Sun Feb 21 17:06:58 UTC 2016
I think its great that SSLv2 is disabled by default or removed.
However, this might cause some UI pain:
$ ./config shared no-ssl2 no-ssl3
Operating system: x86_64-whatever-linux2
Configuring for linux-x86_64
Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L)
***** Unsupported options: no-ssl2
For years we have been pounding into people's heads: "configure with
no-ssl2 no-ssl3". SSLv2 and SSLv3 are insecure. See, for example,
http://www.owasp.org/index.php/C-Based_Toolchain_Hardening#Integration.
Changing the behavior now such that 'no-ssl2' is an error creates
additional rules that users should not have to worry about. User might
accidentally omit 'no-ssl2' on OpenSSL 1.0.1 and below due to the new
conditioning.
I think it would be good for users to (1) disable or omit SSLv2 (as
the library is doing), and (2) honor or ignore 'no-ssl2' (both achieve
the same goal).
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4330
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list