"Kurt Roeckx via RT" <r...@openssl.org> wrote: |On Mon, Dec 08, 2014 at 07:58:31PM +0100, Steffen Nurpmeso via RT wrote: |> set ssl-protocol="ALL,-SSLv2" |> |> This results in the obvious problem that when they (get) |> upgrade(d) their OpenSSL library they will see a completely |> intransparent error message that no normal user will understand: | |It was actually my intention to keep supporting that, but I seem |to have removed that line. I think the following patch should fix |that: |--- a/ssl/ssl_conf.c |+++ b/ssl/ssl_conf.c |@@ -333,6 +333,7 @@ static int cmd_Protocol(SSL_CONF_CTX *cctx, |const char *value) | static const ssl_flag_tbl ssl_protocol_list[] = | { | SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK), |+ SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2), | SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3), | SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1), | SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
Sure, since SSL_OP_NO_SSLv2 still exists as 0x0L as i see know. --steffen _______________________________________________ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev