Thanks for the explanation, As i mentioned in my email, the following situation does works:
openssl s_server -ssl2 -cert ssl_server.pem -WWW -CAfile cafile.pem openssl s_client -connect localhost:4433 -ssl2 -debug Does it mean that "-ssl2" is not using DEFAULT cipher suite and is similar to "-cipher DEFAULT:SSLv2"? On the other hand, "-no_protocol" still uses DEFAULT cipher? G.Y On Fri, Sep 21, 2012 at 8:28 PM, Dr. Stephen Henson <[email protected]> wrote: > On Fri, Sep 21, 2012, YUN GAO wrote: > >> Hi there: >> I got a problem for upgrading openssl from 0.9.8l to 1.0.1b. Now I can >> repro the problem using s_server and s_client: >> >> openssl s_server -ssl2 -cert ssl_server.pem -WWW -CAfile cafile.pem >> openssl s_client -connect localhost:4433 -no_ssl3 -no_tls1 -debug >> >> With 0.9.8l openssl, the above connection can be setup, and the ssl >> session protocol is SSLv2 >> This is the expected behavior, I am trying to setup a ssl connection >> with SSLv2 protocol. >> > > Because SSLv2 has a number of security issues it is effectively disabled by > default in OpenSSL 1.0.0 and later. This is done by removing any SSLv2 ciphers > from the default cipherstring and OpenSSL then automatically disables SSLv2. > > If you want to use SSLv2 in OpenSSL 1.0.0 or later then you need to explicitly > include SSLv2 ciphersuites in the cipher string. > > The option -cipher DEFAULT:SSLv2 for example will include SSLv2 ciphersuites. > When you explicitly request SSLv2 OpenSSL assumes you know what you are doing > and uses appropriate SSLv2 ciphersuites. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
