On Mon, Dec 08, 2014 at 07:58:31PM +0100, Steffen Nurpmeso via RT wrote: > set ssl-protocol="ALL,-SSLv2" > > This results in the obvious problem that when they (get) > upgrade(d) their OpenSSL library they will see a completely > intransparent error message that no normal user will understand:
It was actually my intention to keep supporting that, but I seem to have removed that line. I think the following patch should fix that: --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -333,6 +333,7 @@ static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value) static const ssl_flag_tbl ssl_protocol_list[] = { SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK), + SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2), SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3), SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1), SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1), Kurt _______________________________________________ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev