[openssl-users] Getting error 'SSLv2_client_method': identifier not found
Matt Caswell
matt at openssl.org
Mon Jun 27 21:52:42 UTC 2016
On 27/06/16 20:49, Michael Wojcik wrote:
> The simplest fix is to change "SSLv2_client_method" to
> "SSLv23_client_method". (Inserting a single character; can't get much
> simpler than that.) But since you really don't want to talk to a server
> that only supports SSLv3, you might as well use TLSv1_client_method
> instead, or even better TLSv1_2_client_method. Since we have no idea
> what your program does, or what it has to interoperate with, we can't
> offer any more-specific advice.
I would always recommend using the version flexible
SSLv23_client_method() over the version fixed TLSv1_client_method() and
TLSv1_2_client_method(). If you use TLSv1_client_method() then you can
only ever talk TLSv1.0, even if both client and server are actually
capable of negotiating something better. Using TLSv1_2_client_method()
is kind of ok (except of course you deny yourself the possibility of
talking to servers that don't support TLSv1.2 yet) - but if you ever
upgrade OpenSSL to some future version that supports TLS1.3 (or later!)
then, if you forget to upgrade your app at the same time, you are stuck
with a less than optimal TLS version.
Therefore use SSLv23_client_method() and disable any versions that you
do not want to use with SSL_CTX_set_options()/SSL_set_options():
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html
Of course I echo what everyone else has said about not using
SSLv2_client_method() at all!!
Matt
More information about the openssl-users
mailing list