SSL_OP_* are bitmasks. SSL_CTX_set_options(conn->ssl_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
-Kyle H On 11/14/2014 12:37 AM, Vaghasiya, Nimesh wrote: > > Hi, > > Thanks for the info. > > > > (a typo in previous mail). > > Could you please confirm whether following will ensure my SSLv23 > methods will no more accept SSLv3 and SSLv2 connections ? > > > conn->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); > > > SSL_CTX_set_options(conn->ssl_ctx, SSL_OP_NO_SSLv2); > SSL_CTX_set_options(conn->ssl_ctx, SSL_OP_NO_SSLv3); > > > Regards, > Nimesh > ------------------------------------------------------------------------ > *From:* owner-openssl-...@openssl.org [owner-openssl-...@openssl.org] > on behalf of Viktor Dukhovni [openssl-us...@dukhovni.org] > *Sent:* Friday, November 14, 2014 12:05 PM > *To:* openssl-users@openssl.org > *Subject:* Re: Query regarding SSLv23 methods > > On Fri, Nov 14, 2014 at 06:26:24AM +0000, Vaghasiya, Nimesh wrote: > > [ It is rude to ask user questions on the dev list (moved to Bcc). ] > > > We are in process of disabling SSLv3 and SSLv2 protocols from all of > our FreeBSD based applications. > > > > For SSLv23 methods we are setting SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3 > options as shown below, > > > > > > conn->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); > > SSL_CTX_set_mode(conn->ssl_ctx, SSL_OP_NO_SSLv2); > > > > SSL_CTX_set_mode(conn->ssl_ctx, SSL_OP_NO_SSLv3); > > > > Does this ensure my SSLv23 methods will no more accept SSLv3 and > SSLv2 connections ? > > No, it does not. > > You really should read the manpage for SSL_CTX_set_mode(3) that > function is unrelated to setting the options in question. > > To control protocol feature and work-around options see > SSL_CTX_set_options(3). > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > <http://www.openssl.org> > Development Mailing List openssl-...@openssl.org > Automated List Manager majord...@openssl.org
smime.p7s
Description: S/MIME Cryptographic Signature
