OpenSSL 3.0.0 enabling SSLv3 support

Mark Hack markhack at markhack.com
Thu Oct 7 14:38:30 UTC 2021 

Added to all the weaknesses in SSLv3, the only supported cipher suites
are either vulnerable  or deprecated and not advisable.

 SSL_RSA_WITH_NULL_MD5                   NULL-MD5
 SSL_RSA_WITH_NULL_SHA                   NULL-SHA
 SSL_RSA_EXPORT_WITH_RC4_40_MD5          EXP-RC4-MD5
 SSL_RSA_WITH_RC4_128_MD5                RC4-MD5
 SSL_RSA_WITH_RC4_128_SHA                RC4-SHA
 SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5      EXP-RC2-CBC-MD5
 SSL_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA       EXP-DES-CBC-SHA
 SSL_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
 SSL_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA

 SSL_DH_DSS_WITH_DES_CBC_SHA             DH-DSS-DES-CBC-SHA
 SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA        DH-DSS-DES-CBC3-SHA
 SSL_DH_RSA_WITH_DES_CBC_SHA             DH-RSA-DES-CBC-SHA
 SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA        DH-RSA-DES-CBC3-SHA
 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-DSS-DES-CBC-SHA
 SSL_DHE_DSS_WITH_DES_CBC_SHA            EDH-DSS-CBC-SHA
 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA       EDH-DSS-DES-CBC3-SHA
 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-RSA-DES-CBC-SHA
 SSL_DHE_RSA_WITH_DES_CBC_SHA            EDH-RSA-DES-CBC-SHA
 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA       EDH-RSA-DES-CBC3-SHA

 SSL_DH_anon_EXPORT_WITH_RC4_40_MD5      EXP-ADH-RC4-MD5
 SSL_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA   EXP-ADH-DES-CBC-SHA
 SSL_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA
 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA

 SSL_FORTEZZA_KEA_WITH_NULL_SHA          Not implemented.
 SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA  Not implemented.
 SSL_FORTEZZA_KEA_WITH_RC4_128_SHA       Not implemented.

On Wed, 2021-10-06 at 11:25 -0700, Kory Hamzeh wrote:
> Fair enough. We are not using SSLv3, the code just made reference to
> the method. I will compile it out.
> 
> Thanks!
> 
> 
> > On Oct 5, 2021, at 5:09 PM, Viktor Dukhovni <
> > openssl-users at dukhovni.org> wrote:
> > 
> > On Tue, Oct 05, 2021 at 03:49:48PM -0700, Kory Hamzeh wrote:
> > 
> > > It looks like SSLv3 is not built by default in OpenSSL 3.0.0. At
> > > least
> > > SSLv3_method() is not define, and looking at the conditional
> > > compilation of that function, it makes sense.
> > > 
> > > What command line option do I pass the Configure script to enable
> > > it?
> > > I tried enable-sslv3 and  enable-SSLv3. It complained about both.
> > > I
> > > need to compile some old code (Python 2.7) which we will abandon
> > > soon.
> > 
> > Don't enable SSLv3 in OpenSSL 3.0, that's not doing anyone a
> > favour.
> > Better to instead build the code in question against OpenSSL 1.1.1,
> > if
> > SSLv3 actually needs to be *used*.  It is not a problem to install
> > both
> > OpenSSL 1.1.1 and OpenSSL 3.0 side-by-side (shared libraries) on
> > systems
> > with support for symbol versioning.
> > 
> > If the only purpose of SSLv3 is to get code to compile, that will
> > not
> > in fact ever run, or that can reasonably just return an error when
> > it runs, you can enable the method stubs, without enabling support
> > for the protocol:
> > 
> >    ./Configure enable-ssl3-method ...
> > 
> > The default is to disable both "ssl3" and "ssl3-protocol" and I
> > would
> > strongly encourage you to not enable both.  Nobody should be
> > actually
> > using SSLv3 anymore, but exporting function stubs that will error
> > out
> > makes some sense if required to support toolkits that wrap the
> > OpenSSL
> > API and still want to expose SSLv3 methods.
> > 
> > -- 
> >    Viktor.
> 
>

More information about the openssl-users mailing list