On Sat, Jun 28, 2014, Dominyk Tiller wrote: > > I wondered if you all had an opinion on disabling SSLv2 & SSLv3 during > the ./configure process, and what kind of impact that'd have for > end-users and general compatibility when building against an updated > version of OpenSSL. >
There are several different ways SSLv2 and SSLv3 could be disabled. If you don't include any SSLv2 ciphersuites in the cipher list (the default does not) then SSLv2 is disabled anyway. An application that really needs to support SSLv2 can reenable if they so wish by changing the cipher list. If OpenSSL is configured with no-ssl2 then SSLv2 can never be used even if the cipher string is changed. It's a similar case with no-ssl3. The master branch links supported versions to security levels. If the security level is higher than zero (default is 1) then SSLv2 is disabled. If the level is 2 or higher then SSLv3 is also disabled. There is a another possibility which OpenSSL currently doesn't support. The default options could include SSL_OP_NO_* flags to disable SSLv2 and SSLv3 by default. An application wishing to reenable them could clear the appropriate flags but few (if any) existing applications do that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
