Opened 5 years ago

Closed 4 years ago

#6347 defect closed invalid (invalid)

Conflicting information on the effects of OP_NO_SSLv2

Reported by: Hynek Schlawack Owned by:
Priority: normal Milestone:
Component: core Keywords:
Cc: Hynek Schlawack Branch:
Author:

Description

Currently, our code assumes that setting OP_NO_SSLv2 does not affect setting SSLv2_METHOD and only limits SSLv23_METHOD to SSLv3 and TLSv1.

Our docs at doc/core/howto/ssl.xhtml claim otherwise though:

An older method constant, SSLv2_METHOD, exists but is explicitly disallowed in both DefaultOpenSSLContextFactory and ClientContextFactory for being insecure by calling set_options(SSL.OP_NO_SSLv2) on their contexts.

Until now, I haven’t been able to find a server with an OpenSSL that still allows SSLv2 to verify which of those claims is true.

Change History (1)

comment:1 Changed 4 years ago by Hynek Schlawack

Resolution: invalid
Status: newclosed

This paragraph isn’t part of the docs anymore (and was wrong FWIW, I was just able to check it thanks to Apple shipping an ancient OpenSSL with Mavericks).

Note: See TracTickets for help on using tickets.