[openssl-users] About no-ssl2

Richard Moore richmoore44 at gmail.com
Wed Mar 16 23:21:10 UTC 2016


On 16 March 2016 at 22:58, Viktor Dukhovni <openssl-users at dukhovni.org>
wrote:

> On Wed, Mar 16, 2016 at 10:52:39PM +0000, Richard Moore wrote:
>
> > On 16 March 2016 at 22:39, Viktor Dukhovni <openssl-users at dukhovni.org>
> > wrote:
> >
> > > On Wed, Mar 16, 2016 at 11:32:28PM +0100, Michel wrote:
> > > OpenSSL 1.1.0 has no vestigial SSLv2 code, and so nothing to disable
> > > with OPENSSL_NO_SSL2.  The "OPENSSL_NO_..." macros specify disabled
> > > features, not deleted code.
> > >
> >
> > ​That's the major flaw of the current design of flagging when features
> are
> > disabled rather than when they're present. I'm sure you'll get plenty
> more
> > reports like this.
>
> Use feature probing via autoconf, or just:
>
>     #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_NO_SSL2)
>     /* SSLv2 available */
>     #else
>     /* SSLv2 not available */
>     #endif
>
> Better yet, drop support for SSLv2, and then you don't care whether OpenSSL
> provides it or not.
>
>
​SSL2 is simply an example of this issue, the same applies to others eg. it
will no doubt occur in future for NPN since ALPN has replaced it. ​

​The problem is the concept itself since it will require every app to have
coded into it when a given feature was removed should it attempt to support
it when present.

Rich.​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160316/5dbfdb07/attachment.html>


More information about the openssl-users mailing list