On Mon, Dec 08, 2014 at 07:58:31PM +0100, Steffen Nurpmeso via RT wrote:
> set ssl-protocol="ALL,-SSLv2"
>
> This results in the obvious problem that when they (get)
> upgrade(d) their OpenSSL library they will see a completely
> intransparent error message that no normal user will understand:
It was actually my intention to keep supporting that, but I seem
to have removed that line. I think the following patch should fix
that:
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -333,6 +333,7 @@ static int cmd_Protocol(SSL_CONF_CTX *cctx,
const char *value)
static const ssl_flag_tbl ssl_protocol_list[] =
{
SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK),
+ SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2),
SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3),
SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1),
SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
Kurt
_______________________________________________
openssl-dev mailing list
openssl-dev@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
