On Fri, Sep 21, 2012, YUN GAO wrote: > Hi there: > I got a problem for upgrading openssl from 0.9.8l to 1.0.1b. Now I can > repro the problem using s_server and s_client: > > openssl s_server -ssl2 -cert ssl_server.pem -WWW -CAfile cafile.pem > openssl s_client -connect localhost:4433 -no_ssl3 -no_tls1 -debug > > With 0.9.8l openssl, the above connection can be setup, and the ssl > session protocol is SSLv2 > This is the expected behavior, I am trying to setup a ssl connection > with SSLv2 protocol. >
Because SSLv2 has a number of security issues it is effectively disabled by default in OpenSSL 1.0.0 and later. This is done by removing any SSLv2 ciphers from the default cipherstring and OpenSSL then automatically disables SSLv2. If you want to use SSLv2 in OpenSSL 1.0.0 or later then you need to explicitly include SSLv2 ciphersuites in the cipher string. The option -cipher DEFAULT:SSLv2 for example will include SSLv2 ciphersuites. When you explicitly request SSLv2 OpenSSL assumes you know what you are doing and uses appropriate SSLv2 ciphersuites. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
