OpenSSL 3.0.0 enabling SSLv3 support
kory at avatarci.com
Wed Oct 6 18:25:33 UTC 2021
Fair enough. We are not using SSLv3, the code just made reference to the method. I will compile it out.
> On Oct 5, 2021, at 5:09 PM, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
> On Tue, Oct 05, 2021 at 03:49:48PM -0700, Kory Hamzeh wrote:
>> It looks like SSLv3 is not built by default in OpenSSL 3.0.0. At least
>> SSLv3_method() is not define, and looking at the conditional
>> compilation of that function, it makes sense.
>> What command line option do I pass the Configure script to enable it?
>> I tried enable-sslv3 and enable-SSLv3. It complained about both. I
>> need to compile some old code (Python 2.7) which we will abandon soon.
> Don't enable SSLv3 in OpenSSL 3.0, that's not doing anyone a favour.
> Better to instead build the code in question against OpenSSL 1.1.1, if
> SSLv3 actually needs to be *used*. It is not a problem to install both
> OpenSSL 1.1.1 and OpenSSL 3.0 side-by-side (shared libraries) on systems
> with support for symbol versioning.
> If the only purpose of SSLv3 is to get code to compile, that will not
> in fact ever run, or that can reasonably just return an error when
> it runs, you can enable the method stubs, without enabling support
> for the protocol:
> ./Configure enable-ssl3-method ...
> The default is to disable both "ssl3" and "ssl3-protocol" and I would
> strongly encourage you to not enable both. Nobody should be actually
> using SSLv3 anymore, but exporting function stubs that will error out
> makes some sense if required to support toolkits that wrap the OpenSSL
> API and still want to expose SSLv3 methods.
More information about the openssl-users