Does the attached patch work for you?
Vid Sun, 21 Feb 2016 kl. 17.06.58, skrev noloa...@gmail.com:
> I think its great that SSLv2 is disabled by default or removed.
> However, this might cause some UI pain:
>
> $ ./config shared no-ssl2 no-ssl3
> Operating system: x86_64-whatever-linux2
> Configuring for linux-x86_64
> Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L)
> ***** Unsupported options: no-ssl2
>
> For years we have been pounding into people's heads: "configure with
> no-ssl2 no-ssl3". SSLv2 and SSLv3 are insecure. See, for example,
> http://www.owasp.org/index.php/C-Based_Toolchain_Hardening#Integration.
>
> Changing the behavior now such that 'no-ssl2' is an error creates
> additional rules that users should not have to worry about. User might
> accidentally omit 'no-ssl2' on OpenSSL 1.0.1 and below due to the new
> conditioning.
>
> I think it would be good for users to (1) disable or omit SSLv2 (as
> the library is doing), and (2) honor or ignore 'no-ssl2' (both achieve
> the same goal).
>
--
Richard Levitte
levi...@openssl.org
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4330
Please log in as guest with password guest if prompted
commit 7ada660bede2b82bd26cca9cd6cb856abf2d7e9b
Author: Richard Levitte <levi...@openssl.org>
Date: Mon Feb 22 10:42:53 2016 +0100
Get back "ssl2" as a deprecated disablable option
Preserved for now for those who have scripts with the option
"no-ssl2". We warn that it's deprecated, and ignore it otherwise.
In response to RT#4330
diff --git a/Configure b/Configure
index 1cb5ace..7a5b8bc 100755
--- a/Configure
+++ b/Configure
@@ -325,6 +325,10 @@ foreach my $proto ((@tls, @dtls))
push(@disablables, "$proto-method");
}
+my @deprecated_disablables = (
+ "ssl2",
+ );
+
# All of the following is disabled by default (RC5 was enabled before 0.9.8):
my %disabled = ( # "what" => "comment"
@@ -490,6 +494,7 @@ if (grep /^reconf(igure)?$/, @argvcopy) {
$config{perlargv} = [ @argvcopy ];
my %unsupported_options = ();
+my %deprecated_options = ();
foreach (@argvcopy)
{
# VMS is a case insensitive environment, and depending on settings
@@ -511,7 +516,12 @@ foreach (@argvcopy)
if (/^(no|disable|enable)-(.+)$/)
{
my $word = $2;
- if (!grep { $word =~ /^${_}$/ } @disablables)
+ if (grep { $word =~ /^${_}$/ } @deprecated_disablables)
+ {
+ $deprecated_options{$_} = 1;
+ next;
+ }
+ elsif (!grep { $word =~ /^${_}$/ } @disablables)
{
$unsupported_options{$_} = 1;
next;
@@ -694,6 +704,11 @@ foreach (@argvcopy)
die "***** Unsupported api compatibility level: $config{api}\n",
}
+ if (keys %deprecated_options)
+ {
+ warn "***** Deprecated options: ",
+ join(", ", keys %deprecated_options), "\n";
+ }
if (keys %unsupported_options)
{
die "***** Unsupported options: ",
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
