ARGH! Good catch. Yes the second one is a typo -- the code shows SSLv3 for the second flag. s/b: copy and paste didn’t work so I had to re-fatfinger.
�. sslv23_method() �. SSL_CTX_new() �. ssl_set_options (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3) at session init: �. SSL_new() �. ssl_set_options (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3) �. Dave +-+-+-+-+-+-+-+-+- Dave McLellan, Enterprise Storage Software Engineering, EMC Corporation, 176 South St. Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749 Office: 508-249-1257, FAX: 508-497-8027, Mobile: 978-500-2546, dave.mclel...@emc.com +-+-+-+-+-+-+-+-+- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Michael Wojcik Sent: Friday, October 24, 2014 9:30 AM To: openssl-users@openssl.org Subject: RE: openssl SSL3 vulnerability You have "SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv2" there. I assume "v2 ... v2" is a typo, but if that's what your code actually has, then that's the problem. (Assuming there isn't some other problem, of course.) Michael Wojcik Technology Specialist, Micro Focus From: owner-openssl-us...@openssl.org<mailto:owner-openssl-us...@openssl.org> [mailto:owner-openssl-us...@openssl.org] On Behalf Of mclellan, dave Sent: Friday, 24 October, 2014 09:06 To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> Subject: RE: openssl SSL3 vulnerability If that's the case (Jeffrey has "not observed the behavior") then I have done something wrong, which has been my suspicion anyway. But it seemed pretty straightforward. Should simply setting the SSL_OP_NO_SSLv3 flag take care of it? I have done this both on the CTX and the session level. At CTX init we do this: �. sslv23_method() �. SSL_CTX_new() �. ssl_set_options (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv2) at session init: �. SSL_new() �. ssl_set_options (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv2) �. this is lab code – will be dependent on server configuration to disable SSLv3 based on customer’s compatibility needs. Thanks again. +-+-+-+-+-+-+-+-+- Dave McLellan, Enterprise Storage Software Engineering, EMC Corporation, 176 South St. Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749 Office: 508-249-1257, FAX: 508-497-8027, Mobile: 978-500-2546, dave.mclel...@emc.com<mailto:dave.mclel...@emc.com> +-+-+-+-+-+-+-+-+- -----Original Message----- From: owner-openssl-us...@openssl.org<mailto:owner-openssl-us...@openssl.org> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Friday, October 24, 2014 8:42 AM To: OpenSSL Users List Subject: Re: openssl SSL3 vulnerability On Fri, Oct 24, 2014 at 7:15 AM, mclellan, dave <dave.mclel...@emc.com<mailto:dave.mclel...@emc.com>> wrote: > I have also had this same experience (1.0.1i) with SSLv3 being > negotiated though I used the SSL_OP_NO_SSLv3 flag on the > SSL_set_options call. (I have NOT re-built with SSLv3 disabled). > If that's the case, then a security related defect should be filed at https://www.openssl.org/support/rt.html. I have to qualify it with "if that's the case" because I use those same options, and I have not observed the behavior. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org<mailto:openssl-users@openssl.org> Automated List Manager majord...@openssl.org<mailto:majord...@openssl.org> Click here<https://www.mailcontrol.com/sr/MZbqvYs5QwJvpeaetUwhCQ==> to report this email as spam. This message has been scanned for malware by Websense. www.websense.com<http://www.websense.com/>
