On Út, 2014-06-03 at 16:41 +0000, Viktor Dukhovni wrote:
> On Tue, Jun 03, 2014 at 06:01:03PM +0200, Tomas Mraz via RT wrote:
> 
> > openssl advertises ECC ciphersuites in SSLv2 client hello if ssl23
> > method is used. This is incorrect because the TLS extensions that
> > indicate supported curves and point formats cannot be sent in SSLv2
> > client hello. The attached patch ensures that no ECC ciphersuites are
> > sent in SSLv2 client hello.
> 
> This looks about right, where do you still use SSLv2?  Nowadays,
> you should probably have SSLv2 disabled.
SSLv2 is disabled by default, however when you use the ALL cipher list
which is of course something you should not do but it happened in perl
LDAP module the SSLv2 ciphers are added to the cipherlist and SSLv2
client hello is used.

I agree that once we break API/ABI compatibility we should remove SSLv2
support altogether.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to