OpenSSL 3.0.0 enabling SSLv3 support
openssl-users at dukhovni.org
Wed Oct 6 00:09:31 UTC 2021
On Tue, Oct 05, 2021 at 03:49:48PM -0700, Kory Hamzeh wrote:
> It looks like SSLv3 is not built by default in OpenSSL 3.0.0. At least
> SSLv3_method() is not define, and looking at the conditional
> compilation of that function, it makes sense.
> What command line option do I pass the Configure script to enable it?
> I tried enable-sslv3 and enable-SSLv3. It complained about both. I
> need to compile some old code (Python 2.7) which we will abandon soon.
Don't enable SSLv3 in OpenSSL 3.0, that's not doing anyone a favour.
Better to instead build the code in question against OpenSSL 1.1.1, if
SSLv3 actually needs to be *used*. It is not a problem to install both
OpenSSL 1.1.1 and OpenSSL 3.0 side-by-side (shared libraries) on systems
with support for symbol versioning.
If the only purpose of SSLv3 is to get code to compile, that will not
in fact ever run, or that can reasonably just return an error when
it runs, you can enable the method stubs, without enabling support
for the protocol:
./Configure enable-ssl3-method ...
The default is to disable both "ssl3" and "ssl3-protocol" and I would
strongly encourage you to not enable both. Nobody should be actually
using SSLv3 anymore, but exporting function stubs that will error out
makes some sense if required to support toolkits that wrap the OpenSSL
API and still want to expose SSLv3 methods.
More information about the openssl-users