On Sat, Oct 11, 2014 at 4:33 PM, Salz, Rich <rs...@akamai.com> wrote:
>
>> For example, what if SSLv2_client_method() returns non-NULL but SSLv2 was
>> disabled in some other way by a distribution.
>
> Well then you're hosed. Distro's will do what they want, and there's nothing
> we can do about it.
Here's the case I'm worried/concerned about:
SSL_CTX* ctx = SSL_CTX_new(SSLv2_client_method());
ASSERT(ctx != NULL)
But the distro silently set SSL_OP_NO_SSLv2.
> Do you have a real-world use-case for SSLv2? The use we see is negligible
> (well under 1%)
Yes: a compliance tool that looks at server configurations. I'd like
to differentiate between "No SSLv2" by either (1) SSLv2 was not
available in the client for testing vs (2) the server was configured
without SSLv2 support.
Jeff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
