The diff below from sthen@ disables the SSLv2 support within the
OpenSSL stack.
All the browsers and almost all web servers / proxies and other apps
do or have added their own bits of code over the years to explicitly
disable the SSLv2 support and anything using SSL should be disabling
SSLv2 anyway. It has been deprecated since 1996. With all of its
security issues I think it would be best to disable the SSLv2 support
all together within OpenSSL.
This has been through ports bulks and a handful of ports were fixed
due to the SSLv2 API removal. The ports tree is Ok now.
Comments? OK?
Index: lib/libssl/crypto/arch/alpha/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/alpha/opensslconf.h,v
retrieving revision 1.6
diff -u -p -r1.6 opensslconf.h
--- lib/libssl/crypto/arch/alpha/opensslconf.h 1 Oct 2010 23:02:02 -0000
1.6
+++ lib/libssl/crypto/arch/alpha/opensslconf.h 19 Jun 2012 21:18:34 -0000
@@ -37,6 +37,9 @@
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -86,6 +89,9 @@
# endif
# if defined(OPENSSL_NO_SEED) && !defined(NO_SEED)
# define NO_SEED
+# endif
+# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
+# define NO_SSL2
# endif
# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
# define NO_STORE
Index: lib/libssl/crypto/arch/amd64/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/amd64/opensslconf.h,v
retrieving revision 1.6
diff -u -p -r1.6 opensslconf.h
--- lib/libssl/crypto/arch/amd64/opensslconf.h 1 Oct 2010 23:02:02 -0000
1.6
+++ lib/libssl/crypto/arch/amd64/opensslconf.h 19 Jun 2012 21:18:34 -0000
@@ -37,6 +37,9 @@
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -86,6 +89,9 @@
# endif
# if defined(OPENSSL_NO_SEED) && !defined(NO_SEED)
# define NO_SEED
+# endif
+# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
+# define NO_SSL2
# endif
# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
# define NO_STORE
Index: lib/libssl/crypto/arch/arm/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/arm/opensslconf.h,v
retrieving revision 1.6
diff -u -p -r1.6 opensslconf.h
--- lib/libssl/crypto/arch/arm/opensslconf.h 1 Oct 2010 23:02:02 -0000
1.6
+++ lib/libssl/crypto/arch/arm/opensslconf.h 19 Jun 2012 21:18:34 -0000
@@ -37,6 +37,9 @@
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -86,6 +89,9 @@
# endif
# if defined(OPENSSL_NO_SEED) && !defined(NO_SEED)
# define NO_SEED
+# endif
+# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
+# define NO_SSL2
# endif
# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
# define NO_STORE
Index: lib/libssl/crypto/arch/hppa/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/hppa/opensslconf.h,v
retrieving revision 1.6
diff -u -p -r1.6 opensslconf.h
--- lib/libssl/crypto/arch/hppa/opensslconf.h 1 Oct 2010 23:02:02 -0000
1.6
+++ lib/libssl/crypto/arch/hppa/opensslconf.h 19 Jun 2012 21:18:34 -0000
@@ -37,6 +37,9 @@
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -86,6 +89,9 @@
# endif
# if defined(OPENSSL_NO_SEED) && !defined(NO_SEED)
# define NO_SEED
+# endif
+# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
+# define NO_SSL2
# endif
# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
# define NO_STORE
Index: lib/libssl/crypto/arch/hppa64/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/hppa64/opensslconf.h,v
retrieving revision 1.1
diff -u -p -r1.1 opensslconf.h
--- lib/libssl/crypto/arch/hppa64/opensslconf.h 3 Aug 2011 21:43:05 -0000
1.1
+++ lib/libssl/crypto/arch/hppa64/opensslconf.h 19 Jun 2012 21:18:34 -0000
@@ -37,6 +37,9 @@
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -86,6 +89,9 @@
# endif
# if defined(OPENSSL_NO_SEED) && !defined(NO_SEED)
# define NO_SEED
+# endif
+# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
+# define NO_SSL2
# endif
# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
# define NO_STORE
Index: lib/libssl/crypto/arch/i386/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/i386/opensslconf.h,v
retrieving revision 1.7
diff -u -p -r1.7 opensslconf.h
--- lib/libssl/crypto/arch/i386/opensslconf.h 3 Oct 2010 06:09:42 -0000
1.7
+++ lib/libssl/crypto/arch/i386/opensslconf.h 19 Jun 2012 21:18:34 -0000
@@ -37,6 +37,9 @@
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -86,6 +89,9 @@
# endif
# if defined(OPENSSL_NO_SEED) && !defined(NO_SEED)
# define NO_SEED
+# endif
+# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
+# define NO_SSL2
# endif
# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
# define NO_STORE
Index: lib/libssl/crypto/arch/m68k/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/m68k/opensslconf.h,v
retrieving revision 1.6
diff -u -p -r1.6 opensslconf.h
--- lib/libssl/crypto/arch/m68k/opensslconf.h 1 Oct 2010 23:02:02 -0000
1.6
+++ lib/libssl/crypto/arch/m68k/opensslconf.h 19 Jun 2012 21:18:34 -0000
@@ -37,6 +37,9 @@
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -86,6 +89,9 @@
# endif
# if defined(OPENSSL_NO_SEED) && !defined(NO_SEED)
# define NO_SEED
+# endif
+# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
+# define NO_SSL2
# endif
# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
# define NO_STORE
Index: lib/libssl/crypto/arch/m88k/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/m88k/opensslconf.h,v
retrieving revision 1.6
diff -u -p -r1.6 opensslconf.h
--- lib/libssl/crypto/arch/m88k/opensslconf.h 1 Oct 2010 23:02:02 -0000
1.6
+++ lib/libssl/crypto/arch/m88k/opensslconf.h 19 Jun 2012 21:18:34 -0000
@@ -37,6 +37,9 @@
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -86,6 +89,9 @@
# endif
# if defined(OPENSSL_NO_SEED) && !defined(NO_SEED)
# define NO_SEED
+# endif
+# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
+# define NO_SSL2
# endif
# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
# define NO_STORE
Index: lib/libssl/crypto/arch/mips64/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/mips64/opensslconf.h,v
retrieving revision 1.7
diff -u -p -r1.7 opensslconf.h
--- lib/libssl/crypto/arch/mips64/opensslconf.h 1 Oct 2010 23:02:02 -0000
1.7
+++ lib/libssl/crypto/arch/mips64/opensslconf.h 19 Jun 2012 21:18:34 -0000
@@ -37,6 +37,9 @@
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -86,6 +89,9 @@
# endif
# if defined(OPENSSL_NO_SEED) && !defined(NO_SEED)
# define NO_SEED
+# endif
+# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
+# define NO_SSL2
# endif
# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
# define NO_STORE
Index: lib/libssl/crypto/arch/powerpc/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/powerpc/opensslconf.h,v
retrieving revision 1.6
diff -u -p -r1.6 opensslconf.h
--- lib/libssl/crypto/arch/powerpc/opensslconf.h 1 Oct 2010 23:02:02
-0000 1.6
+++ lib/libssl/crypto/arch/powerpc/opensslconf.h 19 Jun 2012 21:18:34
-0000
@@ -37,6 +37,9 @@
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -86,6 +89,9 @@
# endif
# if defined(OPENSSL_NO_SEED) && !defined(NO_SEED)
# define NO_SEED
+# endif
+# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
+# define NO_SSL2
# endif
# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
# define NO_STORE
Index: lib/libssl/crypto/arch/sh/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/sh/opensslconf.h,v
retrieving revision 1.6
diff -u -p -r1.6 opensslconf.h
--- lib/libssl/crypto/arch/sh/opensslconf.h 1 Oct 2010 23:02:02 -0000
1.6
+++ lib/libssl/crypto/arch/sh/opensslconf.h 19 Jun 2012 21:18:34 -0000
@@ -37,6 +37,9 @@
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -86,6 +89,9 @@
# endif
# if defined(OPENSSL_NO_SEED) && !defined(NO_SEED)
# define NO_SEED
+# endif
+# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
+# define NO_SSL2
# endif
# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
# define NO_STORE
Index: lib/libssl/crypto/arch/sparc/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/sparc/opensslconf.h,v
retrieving revision 1.6
diff -u -p -r1.6 opensslconf.h
--- lib/libssl/crypto/arch/sparc/opensslconf.h 1 Oct 2010 23:02:02 -0000
1.6
+++ lib/libssl/crypto/arch/sparc/opensslconf.h 19 Jun 2012 21:18:34 -0000
@@ -37,6 +37,9 @@
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -86,6 +89,9 @@
# endif
# if defined(OPENSSL_NO_SEED) && !defined(NO_SEED)
# define NO_SEED
+# endif
+# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
+# define NO_SSL2
# endif
# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
# define NO_STORE
Index: lib/libssl/crypto/arch/sparc64/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/sparc64/opensslconf.h,v
retrieving revision 1.6
diff -u -p -r1.6 opensslconf.h
--- lib/libssl/crypto/arch/sparc64/opensslconf.h 1 Oct 2010 23:02:02
-0000 1.6
+++ lib/libssl/crypto/arch/sparc64/opensslconf.h 19 Jun 2012 21:18:34
-0000
@@ -37,6 +37,9 @@
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -86,6 +89,9 @@
# endif
# if defined(OPENSSL_NO_SEED) && !defined(NO_SEED)
# define NO_SEED
+# endif
+# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
+# define NO_SSL2
# endif
# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
# define NO_STORE
Index: lib/libssl/crypto/arch/vax/opensslconf.h
===================================================================
RCS file: /cvs/src/lib/libssl/crypto/arch/vax/opensslconf.h,v
retrieving revision 1.6
diff -u -p -r1.6 opensslconf.h
--- lib/libssl/crypto/arch/vax/opensslconf.h 1 Oct 2010 23:02:02 -0000
1.6
+++ lib/libssl/crypto/arch/vax/opensslconf.h 19 Jun 2012 21:18:34 -0000
@@ -37,6 +37,9 @@
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -86,6 +89,9 @@
# endif
# if defined(OPENSSL_NO_SEED) && !defined(NO_SEED)
# define NO_SEED
+# endif
+# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
+# define NO_SSL2
# endif
# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
# define NO_STORE
Index: lib/libssl/src/Makefile
===================================================================
RCS file: /cvs/src/lib/libssl/src/Makefile,v
retrieving revision 1.7
diff -u -p -r1.7 Makefile
--- lib/libssl/src/Makefile 5 Jan 2012 23:01:38 -0000 1.7
+++ lib/libssl/src/Makefile 19 Jun 2012 21:18:34 -0000
@@ -13,7 +13,7 @@ SHLIB_MAJOR=1
SHLIB_MINOR=0.0
SHLIB_EXT=
PLATFORM=dist
-OPTIONS= no-gmp no-jpake no-krb5 no-md2 no-rc5 no-rfc3779 no-shared no-store
no-zlib no-zlib-dynamic static-engine
+OPTIONS= no-gmp no-jpake no-krb5 no-md2 no-rc5 no-rfc3779 no-shared no-ssl2
no-store no-zlib no-zlib-dynamic static-engine
CONFIGURE_ARGS=dist
SHLIB_TARGET=
@@ -61,7 +61,7 @@ OPENSSLDIR=/usr/local/ssl
CC= cc
CFLAG= -O
-DEPFLAG= -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5
-DOPENSSL_NO_RFC3779 -DOPENSSL_NO_STORE
+DEPFLAG= -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5
-DOPENSSL_NO_RFC3779 -DOPENSSL_NO_STORE -DOPENSSL_NO_SSL2
PEX_LIBS=
EX_LIBS=
EXE_EXT=
Index: lib/libssl/src/apps/s_client.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/apps/s_client.c,v
retrieving revision 1.21
diff -u -p -r1.21 s_client.c
--- lib/libssl/src/apps/s_client.c 1 Oct 2010 22:58:51 -0000 1.21
+++ lib/libssl/src/apps/s_client.c 19 Jun 2012 21:18:34 -0000
@@ -320,7 +320,9 @@ static void sc_usage(void)
BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
# endif
#endif
+#ifndef OPENSSL_NO_SSL2
BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
+#endif
BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
BIO_printf(bio_err," -tls1 - just use TLSv1\n");
BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
Index: lib/libssl/ssl/Makefile
===================================================================
RCS file: /cvs/src/lib/libssl/ssl/Makefile,v
retrieving revision 1.23
diff -u -p -r1.23 Makefile
--- lib/libssl/ssl/Makefile 1 Oct 2010 23:02:02 -0000 1.23
+++ lib/libssl/ssl/Makefile 19 Jun 2012 21:18:34 -0000
@@ -10,6 +10,7 @@ LSSL_SRC= ${.CURDIR}/../${SSLEAYDIST}/ss
CFLAGS+= -DOPENSSL_NO_IDEA -DTERMIOS -DANSI_SOURCE
CFLAGS+= -DOPENSSL_NO_MDC2
CFLAGS+= -DOPENSSL_NO_RC5 -DOPENSSL_NO_KRB5
+CFLAGS+= -DOPENSSL_NO_SSL2
CFLAGS+= -I${.CURDIR}/../${SSLEAYDIST} -I${.CURDIR}/../${SSLEAYDIST}/crypto
SRCS=\
Index: lib/libssl/ssl/shlib_version
===================================================================
RCS file: /cvs/src/lib/libssl/ssl/shlib_version,v
retrieving revision 1.24
diff -u -p -r1.24 shlib_version
@@ -1,2 +1,2 @@
-major=17
-minor=1
+major=18
+minor=0
Index: usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.27
diff -u -p -r1.27 ssl_engine_init.c
--- usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c 9 Feb 2005 12:13:10
-0000 1.27
+++ usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c 19 Jun 2012 21:18:34
-0000
@@ -581,10 +581,7 @@ void ssl_init_ConfigureServer(server_rec
cp[strlen(cp)-2] = NUL;
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Creating new SSL context (protocols: %s)", cpVHostID,
cp);
- if (sc->nProtocol == SSL_PROTOCOL_SSLV2)
- ctx = SSL_CTX_new(SSLv2_server_method()); /* only SSLv2 is left */
- else
- ctx = SSL_CTX_new(SSLv23_server_method()); /* be more flexible */
+ ctx = SSL_CTX_new(SSLv23_server_method());
SSL_CTX_set_options(ctx, SSL_OP_ALL);
if (!(sc->nProtocol & SSL_PROTOCOL_SSLV2))
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
Index: usr.sbin/openssl/Makefile
===================================================================
RCS file: /cvs/src/usr.sbin/openssl/Makefile,v
retrieving revision 1.19
diff -u -p -r1.19 Makefile
--- usr.sbin/openssl/Makefile 1 Oct 2010 23:04:33 -0000 1.19
+++ usr.sbin/openssl/Makefile 19 Jun 2012 21:18:34 -0000
@@ -11,6 +11,7 @@ SSLEAY_SRC_TOP= ${.CURDIR}/../../${SSLEA
CFLAGS+= -DMONOLITH -DOPENSSL_NO_IDEA -DTERMIOS -DANSI_SOURCE -DOPENSSL_NO_RC5
CFLAGS+= -DOPENSSL_NO_MDC2
+CFLAGS+= -DOPENSSL_NO_SSL2
CFLAGS+= -I${SSLEAY_SRC_TOP}
SRCS= verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c \
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
