[openssl-users] About no-ssl2

Viktor Dukhovni openssl-users at dukhovni.org
Wed Mar 16 22:58:56 UTC 2016


On Wed, Mar 16, 2016 at 10:52:39PM +0000, Richard Moore wrote:

> On 16 March 2016 at 22:39, Viktor Dukhovni <openssl-users at dukhovni.org>
> wrote:
> 
> > On Wed, Mar 16, 2016 at 11:32:28PM +0100, Michel wrote:
> > OpenSSL 1.1.0 has no vestigial SSLv2 code, and so nothing to disable
> > with OPENSSL_NO_SSL2.  The "OPENSSL_NO_..." macros specify disabled
> > features, not deleted code.
> >
> 
> ​That's the major flaw of the current design of flagging when features are
> disabled rather than when they're present. I'm sure you'll get plenty more
> reports like this.

Use feature probing via autoconf, or just:

    #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_NO_SSL2)
    /* SSLv2 available */
    #else
    /* SSLv2 not available */
    #endif

Better yet, drop support for SSLv2, and then you don't care whether OpenSSL
provides it or not.

-- 
	Viktor.


More information about the openssl-users mailing list