On Fri September 2 2011, Michael B Allen wrote: > On Fri, Sep 2, 2011 at 2:09 PM, Dr. Stephen Henson <st...@openssl.org> wrote: > > On Fri, Sep 02, 2011, Michael B Allen wrote: > > > >> Hello, > >> > >> Is there a way to disable SSLv2 system-wide (assuming non-static > >> linking)? I am trying to get a CentOS 5.6 system to pass a PCI credit > >> card processing certification and the scanning company blindly flags > >> SSLv2 as non-compliant. Rather than try to disable SSLv2 in each > >> application (postfix, Apache, Dovecot, etc), I was hoping there was a > >> low-level directive that would block SSLv2 (but not SSLv3 or TLSv1). > >> > >> Is there any such directive to torpedo SSLv2 specifically? > >> > > > > Which version of OpenSSL are you using? In OpenSSL 1.0.0 and later the > > cipher > > string determines whether SSLv2 support is advertised or accepted and the > > default cipher string includes on SSLv2 ciphers. > > > > Alternatively try no-ssl2 on the command line but that hasn't been tested > > for > > a while. If you use that you will get linker errors in applications that > > reference SSLv2 directly. > > > > Third option. At the end SSL_CTX_new in ssl/ssl_lib.c the options flag has > > some settings added. Add something to disable SSLv2: > > > > ret->options |= SSL_OP_NO_SSLv2; > > Hi Steve, > > Well I was hoping there was some kind of global configuration file > directive that would affect the behavior of the openssl library and at > least everything dynamically linked with it. >
But if you did it that way, wouldn't the entire PCI credit card processing certification depend on that configuration file being used, un-altered, from that point onwards? That sounds sort of long-term fragile to me. The better sounding answer to me is Steve's third suggestion, disable SSLv2 in the source and re-build. __AND__ be sure that the controls of the CentOS package manager (Yum?) are set so it will not blindly "update" either the custom built package or the special-purposed configuration file. As appropriate to whichever route you decide to take. Mike > But based on your answer > it's fairly clear that there is no such option. > > Thanks, > Mike > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
