> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> us...@openssl.org] On Behalf Of Jeffrey Walton
> Sent: Friday, 24 October, 2014 09:42
> To: OpenSSL Users List
> Subject: Re: openssl SSL3 vulnerability
>
> On Fri, Oct 24, 2014 at 9:30 AM, Michael Wojcik
> <michael.woj...@microfocus.com> wrote:
> > You have "SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv2" there. I assume "v2 ... v2" is
> > a typo, but if that's what your code actually has, then that's the problem.
> > (Assuming there isn't some other problem, of course.)
> >
> That's actually correct in this case.
>
> $ cat ssl/ssl.h | grep SSL_OP_NO_
> #define SSL_OP_NO_QUERY_MTU 0x00001000L
> #define SSL_OP_NO_TICKET 0x00004000L
> #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
> #define SSL_OP_NO_COMPRESSION 0x00020000L
> #define SSL_OP_NO_SSLv2 0x01000000L
> #define SSL_OP_NO_SSLv3 0x02000000L
> #define SSL_OP_NO_TLSv1 0x04000000L
> #define SSL_OP_NO_TLSv1_2 0x08000000L
> #define SSL_OP_NO_TLSv1_1 0x10000000L
"Correct" how? He says he wants to disable SSLv3, but he's ORing OP_NO_SSLv2
with itself (in the pseudocode he posted), and not using SSL_OP_NO_SSLv3. That
was my point.
My assumption was this was a typo in the pseudocode, but if it also exists in
the real code, then he's not setting SSL_OP_NO_SSLv3.
Am I missing something?
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
:��I"Ϯ��r�m�����
(����Z+�K��+����1���x���h����[�z�(����Z+����f�y���������f���h��)z{,���
