On Út, 2014-06-03 at 16:41 +0000, Viktor Dukhovni wrote: > On Tue, Jun 03, 2014 at 06:01:03PM +0200, Tomas Mraz via RT wrote: > > > openssl advertises ECC ciphersuites in SSLv2 client hello if ssl23 > > method is used. This is incorrect because the TLS extensions that > > indicate supported curves and point formats cannot be sent in SSLv2 > > client hello. The attached patch ensures that no ECC ciphersuites are > > sent in SSLv2 client hello. > > This looks about right, where do you still use SSLv2? Nowadays, > you should probably have SSLv2 disabled. SSLv2 is disabled by default, however when you use the ALL cipher list which is of course something you should not do but it happened in perl LDAP module the SSLv2 ciphers are added to the cipherlist and SSLv2 client hello is used.
I agree that once we break API/ABI compatibility we should remove SSLv2 support altogether. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org