On 11/14/2015 08:47 AM, Kurt Roeckx wrote: > On Sat, Nov 14, 2015 at 08:34:47AM -0700, Alex Rousskov wrote: >> On 11/14/2015 06:39 AM, Kurt Roeckx wrote: >>> Source: polygraph >>> Version: 4.3.2-1.2 >>> Severity: serious >>> Control: block 797926 by -1 >> >>> I suggest you remove all of that and only use SSLv23_method(). >>> All the other are version specific methods, only SSLv23_* speaks >>> multiple versions. >> >> Removal of other methods is not a good idea because users need to >> control which methods are used (including the ones unsupported by the >> latest OpenSSL). We will provide a different fix. > > The other methods will go away in the future because people misuse > them. You really should only use the SSLv23_* methods. > > Your users don't have a need to support a specific method that > only supports a given protocol. What they might need is to be > able to limit the supported versions. As I said you should use > SSL_set_options() for that.
You might be thinking of some general-use program. Web Polygraph is a test tool. Testers often have unusual needs, including the need to test with a method that only supports a given [deprecated] protocol. If we can provide a small better fix, we will. If a better fix requires too many unrelated changes to this Polygraph version, we will provide a patch that disables SSLv3 (until a recent Polygraph version with a comprehensive fix is released). Thank you, Alex.
