On Fri, Oct 24, 2014 at 9:53 AM, Michael Wojcik <michael.woj...@microfocus.com> wrote: >> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- >> us...@openssl.org] On Behalf Of Jeffrey Walton >> Sent: Friday, 24 October, 2014 09:42 >> To: OpenSSL Users List >> Subject: Re: openssl SSL3 vulnerability >> >> On Fri, Oct 24, 2014 at 9:30 AM, Michael Wojcik >> <michael.woj...@microfocus.com> wrote: >> > You have "SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv2" there. I assume "v2 ... v2" is >> > a typo, but if that's what your code actually has, then that's the problem. >> > (Assuming there isn't some other problem, of course.) >> > >> That's actually correct in this case. >> >> $ cat ssl/ssl.h | grep SSL_OP_NO_ >> #define SSL_OP_NO_QUERY_MTU 0x00001000L >> #define SSL_OP_NO_TICKET 0x00004000L >> #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L >> #define SSL_OP_NO_COMPRESSION 0x00020000L >> #define SSL_OP_NO_SSLv2 0x01000000L >> #define SSL_OP_NO_SSLv3 0x02000000L >> #define SSL_OP_NO_TLSv1 0x04000000L >> #define SSL_OP_NO_TLSv1_2 0x08000000L >> #define SSL_OP_NO_TLSv1_1 0x10000000L > > "Correct" how? He says he wants to disable SSLv3, but he's ORing OP_NO_SSLv2 > with itself (in the pseudocode he posted), and not using SSL_OP_NO_SSLv3. > That was my point. > > My assumption was this was a typo in the pseudocode, but if it also exists in > the real code, then he's not setting SSL_OP_NO_SSLv3. > > Am I missing something? I think I am.... This looks OK to me:
::SSL_CTX_set_options(ctx, (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION)); Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
