On Sat, Jun 28, 2014, Jeremy Farrell wrote: > > From: Hanno Böck [mailto:ha...@hboeck.de] > > Sent: Saturday, June 28, 2014 10:36 PM > > > > On Sat, 28 Jun 2014 20:05:21 +0200 > > Kurt Roeckx <k...@roeckx.be> wrote: > > > > > If you make such a patch, I might disable SSLv3 support in Debian, > > > but that's unlikely to make it in jessie. > > > > The openssl configure script already has a disable-ssl3 option. > > > > I experimented with it a while back and it didn't have any impact. I'm > > also running my servers without sslv3 (although the openssl there still > > supports it, I just disable it in the software configurations). > > I had a quick play with building 1.0.1g with both SSLv2 and SSLv3 disabled a > couple of weeks ago. There are unfortunate effects in the openssl application > at least, where some logic appears not to have been updated for TLS. If both > SSLv2 and SSLv3 are disabled, some commands are removed. For example the > 'ciphers' command is removed, presumably on the basis that if you don't have > SSLv2 or SSLv3 then you can't have any interest in cipher suites. Didn't have > time to pursue it further at the time, but was concerned there might be other > less obvious problems. > > It looks like there is some work to do to make this clean across the full > project.
Looks like the logic in ciphers and progs.pl is rather ancient. I've just updated it so ciphers, s_client and s_server now work with no-ssl2 no-ssl3 I'd be interested to know if anyone sees any other side effects. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
