I think its great that SSLv2 is disabled by default or removed. However, this might cause some UI pain:
$ ./config shared no-ssl2 no-ssl3 Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) ***** Unsupported options: no-ssl2 For years we have been pounding into people's heads: "configure with no-ssl2 no-ssl3". SSLv2 and SSLv3 are insecure. See, for example, http://www.owasp.org/index.php/C-Based_Toolchain_Hardening#Integration. Changing the behavior now such that 'no-ssl2' is an error creates additional rules that users should not have to worry about. User might accidentally omit 'no-ssl2' on OpenSSL 1.0.1 and below due to the new conditioning. I think it would be good for users to (1) disable or omit SSLv2 (as the library is doing), and (2) honor or ignore 'no-ssl2' (both achieve the same goal). -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4330 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
