On Fri, Nov 14, 2014 at 06:35:51AM +0000, Viktor Dukhovni wrote: > On Fri, Nov 14, 2014 at 06:26:24AM +0000, Vaghasiya, Nimesh wrote: > > [ It is rude to ask user questions on the dev list (moved to Bcc). ] > > > We are in process of disabling SSLv3 and SSLv2 protocols from all of our > > FreeBSD based applications. > > > > For SSLv23 methods we are setting SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3 options > > as shown below, > > > > > > conn->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); > > SSL_CTX_set_mode(conn->ssl_ctx, SSL_OP_NO_SSLv2); > > > > SSL_CTX_set_mode(conn->ssl_ctx, SSL_OP_NO_SSLv3); > > > > Does this ensure my SSLv23 methods will no more accept SSLv3 and SSLv2 > > connections ? > > No, it does not. > > You really should read the manpage for SSL_CTX_set_mode(3) that > function is unrelated to setting the options in question. > > To control protocol feature and work-around options see > SSL_CTX_set_options(3).
So setting SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 should do what he wants to do, he's just using the wrong function to set the options. Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
