[openssl-dev] [openssl.org #4330] Unsupported options: no-ssl2
Richard Levitte via RT
rt at openssl.org
Mon Feb 22 09:49:05 UTC 2016
Does the attached patch work for you?
Vid Sun, 21 Feb 2016 kl. 17.06.58, skrev noloader at gmail.com:
> I think its great that SSLv2 is disabled by default or removed.
> However, this might cause some UI pain:
>
> $ ./config shared no-ssl2 no-ssl3
> Operating system: x86_64-whatever-linux2
> Configuring for linux-x86_64
> Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L)
> ***** Unsupported options: no-ssl2
>
> For years we have been pounding into people's heads: "configure with
> no-ssl2 no-ssl3". SSLv2 and SSLv3 are insecure. See, for example,
> http://www.owasp.org/index.php/C-Based_Toolchain_Hardening#Integration.
>
> Changing the behavior now such that 'no-ssl2' is an error creates
> additional rules that users should not have to worry about. User might
> accidentally omit 'no-ssl2' on OpenSSL 1.0.1 and below due to the new
> conditioning.
>
> I think it would be good for users to (1) disable or omit SSLv2 (as
> the library is doing), and (2) honor or ignore 'no-ssl2' (both achieve
> the same goal).
>
--
Richard Levitte
levitte at openssl.org
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4330
Please log in as guest with password guest if prompted
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Configure.diff
Type: text/x-patch
Size: 1696 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160222/6e1366ea/attachment.bin>
More information about the openssl-dev
mailing list