On Fri, Sep 02, 2011, Michael B Allen wrote: > Hello, > > Is there a way to disable SSLv2 system-wide (assuming non-static > linking)? I am trying to get a CentOS 5.6 system to pass a PCI credit > card processing certification and the scanning company blindly flags > SSLv2 as non-compliant. Rather than try to disable SSLv2 in each > application (postfix, Apache, Dovecot, etc), I was hoping there was a > low-level directive that would block SSLv2 (but not SSLv3 or TLSv1). > > Is there any such directive to torpedo SSLv2 specifically? >
Which version of OpenSSL are you using? In OpenSSL 1.0.0 and later the cipher string determines whether SSLv2 support is advertised or accepted and the default cipher string includes on SSLv2 ciphers. Alternatively try no-ssl2 on the command line but that hasn't been tested for a while. If you use that you will get linker errors in applications that reference SSLv2 directly. Third option. At the end SSL_CTX_new in ssl/ssl_lib.c the options flag has some settings added. Add something to disable SSLv2: ret->options |= SSL_OP_NO_SSLv2; Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
