On Thu, Oct 07, 2021 at 09:38:30AM -0500, Mark Hack wrote:
> Added to all the weaknesses in SSLv3, the only supported cipher suites
> are either vulnerable or deprecated and not advisable.
If we set aside browsers where CBC padding oracles are a problem, the
below are in practice still reasonabl
Added to all the weaknesses in SSLv3, the only supported cipher suites
are either vulnerable or deprecated and not advisable.
SSL_RSA_WITH_NULL_MD5 NULL-MD5
SSL_RSA_WITH_NULL_SHA NULL-SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5
SSL_RSA_WITH_RC4_
Fair enough. We are not using SSLv3, the code just made reference to the
method. I will compile it out.
Thanks!
> On Oct 5, 2021, at 5:09 PM, Viktor Dukhovni
> wrote:
>
> On Tue, Oct 05, 2021 at 03:49:48PM -0700, Kory Hamzeh wrote:
>
>> It looks like SSLv3 is not built by default in OpenSSL
On Tue, Oct 05, 2021 at 03:49:48PM -0700, Kory Hamzeh wrote:
> It looks like SSLv3 is not built by default in OpenSSL 3.0.0. At least
> SSLv3_method() is not define, and looking at the conditional
> compilation of that function, it makes sense.
>
> What command line option do I pass the Configure
Hi,
It looks like SSLv3 is not built by default in OpenSSL 3.0.0. At least
SSLv3_method() is not define, and looking at the conditional compilation of
that function, it makes sense.
What command line option do I pass the Configure script to enable it? I tried
enable-sslv3 and enable-SSLv3. It
