> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Jeffrey Walton > Sent: Friday, 24 October, 2014 10:26 > To: OpenSSL Users List > Subject: Re: openssl SSL3 vulnerability > > On Fri, Oct 24, 2014 at 9:53 AM, Michael Wojcik > <michael.woj...@microfocus.com> wrote: > >> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > >> us...@openssl.org] On Behalf Of Jeffrey Walton > >> Sent: Friday, 24 October, 2014 09:42 > >> To: OpenSSL Users List > >> Subject: Re: openssl SSL3 vulnerability > >> > >> On Fri, Oct 24, 2014 at 9:30 AM, Michael Wojcik > >> <michael.woj...@microfocus.com> wrote: > >> > You have "SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv2" there. I assume "v2 ... v2" > is > >> > a typo, but if that's what your code actually has, then that's the > problem. > >> > (Assuming there isn't some other problem, of course.) > >> > > >> That's actually correct in this case. > > > > "Correct" how? He says he wants to disable SSLv3, but he's ORing > OP_NO_SSLv2 with itself (in the pseudocode he posted), and not using > SSL_OP_NO_SSLv3. That was my point. > > > > Am I missing something? > I think I am.... This looks OK to me: > > ::SSL_CTX_set_options(ctx, (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | > SSL_OP_NO_COMPRESSION));
Yes, that's OK. It's not what the OP posted. Dave's original email message said "SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv2". Note that is "v2" twice, and no "v3". (He's already noted this was a typo in the note, and his code is correct.) I pointed out the error in the message, and asked if the actual code was correct. You seem to be talking about what the code *should* be, which is not in dispute. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com
