If that's the case (Jeffrey has "not observed the behavior") then I have done something wrong, which has been my suspicion anyway. But it seemed pretty straightforward.
Should simply setting the SSL_OP_NO_SSLv3 flag take care of it? I have done this both on the CTX and the session level. At CTX init we do this: Ø sslv23_method() Ø SSL_CTX_new() Ø ssl_set_options (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv2) at session init: Ø SSL_new() Ø ssl_set_options (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv2) Ø this is lab code – will be dependent on server configuration to disable SSLv3 based on customer’s compatibility needs. Thanks again. +-+-+-+-+-+-+-+-+- Dave McLellan, Enterprise Storage Software Engineering, EMC Corporation, 176 South St. Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749 Office: 508-249-1257, FAX: 508-497-8027, Mobile: 978-500-2546, dave.mclel...@emc.com +-+-+-+-+-+-+-+-+- -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Friday, October 24, 2014 8:42 AM To: OpenSSL Users List Subject: Re: openssl SSL3 vulnerability On Fri, Oct 24, 2014 at 7:15 AM, mclellan, dave <dave.mclel...@emc.com<mailto:dave.mclel...@emc.com>> wrote: > I have also had this same experience (1.0.1i) with SSLv3 being > negotiated though I used the SSL_OP_NO_SSLv3 flag on the > SSL_set_options call. (I have NOT re-built with SSLv3 disabled). > If that's the case, then a security related defect should be filed at https://www.openssl.org/support/rt.html. I have to qualify it with "if that's the case" because I use those same options, and I have not observed the behavior. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org<mailto:openssl-users@openssl.org> Automated List Manager majord...@openssl.org<mailto:majord...@openssl.org>
