On Fri, Sep 2, 2011 at 2:09 PM, Dr. Stephen Henson <st...@openssl.org> wrote: > On Fri, Sep 02, 2011, Michael B Allen wrote: > >> Hello, >> >> Is there a way to disable SSLv2 system-wide (assuming non-static >> linking)? I am trying to get a CentOS 5.6 system to pass a PCI credit >> card processing certification and the scanning company blindly flags >> SSLv2 as non-compliant. Rather than try to disable SSLv2 in each >> application (postfix, Apache, Dovecot, etc), I was hoping there was a >> low-level directive that would block SSLv2 (but not SSLv3 or TLSv1). >> >> Is there any such directive to torpedo SSLv2 specifically? >> > > Which version of OpenSSL are you using? In OpenSSL 1.0.0 and later the cipher > string determines whether SSLv2 support is advertised or accepted and the > default cipher string includes on SSLv2 ciphers. > > Alternatively try no-ssl2 on the command line but that hasn't been tested for > a while. If you use that you will get linker errors in applications that > reference SSLv2 directly. > > Third option. At the end SSL_CTX_new in ssl/ssl_lib.c the options flag has > some settings added. Add something to disable SSLv2: > > ret->options |= SSL_OP_NO_SSLv2;
Hi Steve, Well I was hoping there was some kind of global configuration file directive that would affect the behavior of the openssl library and at least everything dynamically linked with it. But based on your answer it's fairly clear that there is no such option. Thanks, Mike ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
