The order of operations is significant. This can be used to set either defaults
or values which cannot be overridden. For example if an application calls:
- SSL_CONF_cmd(ctx, "Protocol", "-SSLv2");
+ SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
SSL_CONF_cmd(ctx, userparam, uservalue);
-it will disable SSLv2 support by default but the user can override it. If
+it will disable SSLv3 support by default but the user can override it. If
however the call sequence is:
SSL_CONF_cmd(ctx, userparam, uservalue);
- SSL_CONF_cmd(ctx, "Protocol", "-SSLv2");
+ SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
-SSLv2 is B<always> disabled and attempt to override this by the user are
+SSLv3 is B<always> disabled and attempt to override this by the user are
ignored.
By checking the return code of SSL_CTX_cmd() it is possible to query if a
SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256");
-Enable all protocols except SSLv3 and SSLv2:
+Enable all protocols except SSLv3:
- SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3,-SSLv2");
+ SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3");
Only enable TLSv1.2:
When choosing a cipher, use the server's preferences instead of the client
preferences. When not set, the SSL server will always follow the clients
-preferences. When set, the SSLv3/TLSv1 server will choose following its
-own preferences. Because of the different protocol, for SSLv2 the server
-will send its list of preferences to the client and the client chooses.
+preferences. When set, the SSL/TLS server will choose following its
+own preferences.
=item SSL_OP_PKCS1_CHECK_1
...
-
-=item SSL_OP_NO_SSLv2
-
-Do not use the SSLv2 protocol.
-
=item SSL_OP_NO_SSLv3
Do not use the SSLv3 protocol.
described in RFC5746. This counters the prefix attack described in
CVE-2009-3555 and elsewhere.
-The deprecated and highly broken SSLv2 protocol does not support
-renegotiation at all: its use is B<strongly> discouraged.
-
This attack has far reaching consequences which application writers should be
aware of. In the description below an implementation supporting secure
renegotiation is referred to as I<patched>. A server not supporting secure
whether an error occurred or the connection was shut down cleanly
(SSL_ERROR_ZERO_RETURN).
-SSLv2 (deprecated) does not support a shutdown alert protocol, so it can
-only be detected, whether the underlying connection was closed. It cannot
-be checked, whether the closure was initiated by the peer or by something
-else.
-
=item E<lt>0
The read operation was not successful, because either an error occurred
whether an error occurred or the connection was shut down cleanly
(SSL_ERROR_ZERO_RETURN).
-SSLv2 (deprecated) does not support a shutdown alert protocol, so it can
-only be detected, whether the underlying connection was closed. It cannot
-be checked, why the closure happened.
-
=item E<lt>0
The write operation was not successful, because either an error occurred
=item B<ssl2.h>
-That's the sub header file dealing with the SSLv2 protocol only.
-I<Usually you don't have to include it explicitly because
-it's already included by ssl.h>.
+Unused. Present for backwards compatibility only.
=item B<ssl3.h>
=item char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher);
-Returns a string like "C<TLSv1/SSLv3>" or "C<SSLv2>" which indicates the
+Returns a string like "C<SSLv3>" or "C<TLSv1.2>" which indicates the
SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined
in the specification the first time).
}
/*
- * what if we are setup as SSLv2 but want to talk SSLv3 or vice-versa
+ * what if we are setup for one protocol version but want to talk another
*/
if (t->method != f->method) {
t->method->ssl_free(t); /* cleanup current */
return 1;
}
-/* works well for SSLv2, not so good for SSLv3 */
char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
{
char *p;
int alg_bits; /* Number of bits for algorithm */
};
-/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
+/* Used to hold SSL/TLS functions */
struct ssl_method_st {
int version;
int (*ssl_new) (SSL *s);