On 15-08-2010 03:11, Stefan de Konink wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear Steve,
Op 15-08-10 01:52, Dr. Stephen Henson schreef:
OpenSSL 1.0.0 doesn't include any SSLv2 cipersuites by default and new logic
means it doesn't send out an SSLv2 compatible client hello if it will never
use SSLv2. That effectively disables SSLv2 by default. Try a cipher
string that explicitly enables some SSLv2 ciphers.
Could you elaborate why this did work out of the box in 0.9.8 and breaks
with 1.0.0. Basically I found out that this site only seems to accept
SSLv2. Of course I can specify what protocol to use manually, (I
actually hacked the httplib in Python for it already), but from
usability point of view: why did this break?
This is because if SSLv2 backward compatibility is enabled in *any* SSL
library, then a security hole in the protocol rules for indicating
SSLv2 compatibility will allow an attack where the attacker can force
two SSL3-or-later computers to talk SSLv2 to each other in a way that
can then be easily broken.
Therefore most modern SSL implementations disable SSLv2 by default, and
starting with OpenSSL 1.0.0, OpenSSL does this too.
Is it possible to configure to use SSLv2 anyway?
Others have answered that part better than I can.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
