OpenSSL 3.0.0 enabling SSLv3 support
markhack at markhack.com
Thu Oct 7 14:38:30 UTC 2021
Added to all the weaknesses in SSLv3, the only supported cipher suites
are either vulnerable or deprecated and not advisable.
SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented.
SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented.
SSL_FORTEZZA_KEA_WITH_RC4_128_SHA Not implemented.
On Wed, 2021-10-06 at 11:25 -0700, Kory Hamzeh wrote:
> Fair enough. We are not using SSLv3, the code just made reference to
> the method. I will compile it out.
> > On Oct 5, 2021, at 5:09 PM, Viktor Dukhovni <
> > openssl-users at dukhovni.org> wrote:
> > On Tue, Oct 05, 2021 at 03:49:48PM -0700, Kory Hamzeh wrote:
> > > It looks like SSLv3 is not built by default in OpenSSL 3.0.0. At
> > > least
> > > SSLv3_method() is not define, and looking at the conditional
> > > compilation of that function, it makes sense.
> > >
> > > What command line option do I pass the Configure script to enable
> > > it?
> > > I tried enable-sslv3 and enable-SSLv3. It complained about both.
> > > I
> > > need to compile some old code (Python 2.7) which we will abandon
> > > soon.
> > Don't enable SSLv3 in OpenSSL 3.0, that's not doing anyone a
> > favour.
> > Better to instead build the code in question against OpenSSL 1.1.1,
> > if
> > SSLv3 actually needs to be *used*. It is not a problem to install
> > both
> > OpenSSL 1.1.1 and OpenSSL 3.0 side-by-side (shared libraries) on
> > systems
> > with support for symbol versioning.
> > If the only purpose of SSLv3 is to get code to compile, that will
> > not
> > in fact ever run, or that can reasonably just return an error when
> > it runs, you can enable the method stubs, without enabling support
> > for the protocol:
> > ./Configure enable-ssl3-method ...
> > The default is to disable both "ssl3" and "ssl3-protocol" and I
> > would
> > strongly encourage you to not enable both. Nobody should be
> > actually
> > using SSLv3 anymore, but exporting function stubs that will error
> > out
> > makes some sense if required to support toolkits that wrap the
> > OpenSSL
> > API and still want to expose SSLv3 methods.
> > --
> > Viktor.
More information about the openssl-users