Jeffrey, May I ask why you included "no-ssl2" as an option to "config? Is only adding "no-ssl3" not sufficient enough to fully disable SSLv3?
Thanks, Phil -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Wednesday, November 05, 2014 12:45 AM To: OpenSSL Users List Subject: Re: Query: Disabling SSLv3 > We are upgrading to OpenSSL 0.9.8zc on FreeBSD based OS to mitigate > POODLE risk. > Could you please answer our following query, Definition of a function > ssl23_get_client_method() in C file 'openssl-0.9.8zc/ssl/s23_clnt.c' > shows, > #ifndef OPENSSL_NO_SSL3 > if (ver == SSL3_VERSION) > return(SSLv3_client_method()); > #endif > > So does this mean, 0.9.8zc needs to be built with -DOPENSSL_NO_SSL3 to > block downgrading to SSLv3 in SSLv23_* functions ? > If you want to disable SSLv3 at configure time, then: ./config no-ssl2 no-ssl3 ... The configure option will define OPENSSL_NO_SSL3. See http://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options for more on the options. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org [E-Banner]<http://www.mrv.com/landing/mrvs-software-defined-networking-sdn-and-network-function-virtualization-nfv-products-and-architecture> The contents of this message, together with any attachments, are intended only for the use of the person(s) to whom they are addressed and may contain confidential and/or privileged information. If you are not the intended recipient, immediately advise the sender, delete this message and any attachments and note that any distribution, or copying of this message, or any attachment, is prohibited.