> From: Hanno Böck [mailto:ha...@hboeck.de] > Sent: Saturday, June 28, 2014 10:36 PM > > On Sat, 28 Jun 2014 20:05:21 +0200 > Kurt Roeckx <k...@roeckx.be> wrote: > > > If you make such a patch, I might disable SSLv3 support in Debian, > > but that's unlikely to make it in jessie. > > The openssl configure script already has a disable-ssl3 option. > > I experimented with it a while back and it didn't have any impact. I'm > also running my servers without sslv3 (although the openssl there still > supports it, I just disable it in the software configurations).
I had a quick play with building 1.0.1g with both SSLv2 and SSLv3 disabled a couple of weeks ago. There are unfortunate effects in the openssl application at least, where some logic appears not to have been updated for TLS. If both SSLv2 and SSLv3 are disabled, some commands are removed. For example the 'ciphers' command is removed, presumably on the basis that if you don't have SSLv2 or SSLv3 then you can't have any interest in cipher suites. Didn't have time to pursue it further at the time, but was concerned there might be other less obvious problems. It looks like there is some work to do to make this clean across the full project. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
