On Sun, Aug 15, 2010, Stefan de Konink wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Dear Steve, > > Op 15-08-10 01:52, Dr. Stephen Henson schreef: > > OpenSSL 1.0.0 doesn't include any SSLv2 cipersuites by default and new logic > > means it doesn't send out an SSLv2 compatible client hello if it will never > > use SSLv2. That effectively disables SSLv2 by default. Try a cipher > > string that explicitly enables some SSLv2 ciphers. > > Could you elaborate why this did work out of the box in 0.9.8 and breaks > with 1.0.0. Basically I found out that this site only seems to accept > SSLv2. Of course I can specify what protocol to use manually, (I > actually hacked the httplib in Python for it already), but from > usability point of view: why did this break? > > Is it possible to configure to use SSLv2 anyway? >
As I indicated OpenSSL 1.0.0 does not include any SSLv2 ciphersuites in the default cipher string. That effectively disables SSLv2 by default which is in line with many security recommendations as SSLv2 is highly broken. OpenSSL 0.9.8 and earlier do include SSLv2 ciphersuites. If you enable some SSLv2 ciphersuites in the cipher string in OpneSSL 1.0.0 (how you do that depends on the applications) SSLv2 will be used again. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
