About no-ssl2

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

About no-ssl2

Michel

Hi,

 

IMHO, whether SSL2 is completly removed or disabled, I would have expected opensslconf.h to reflect the situation to applications.

But now, it just contains :

#ifndef OPENSSL_NO_SSL3

# define OPENSSL_NO_SSL3

#endif

 

Was it really intended ?

 

Regards,

 

Michel.

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: About no-ssl2

Viktor Dukhovni
On Wed, Mar 16, 2016 at 11:32:28PM +0100, Michel wrote:

> IMHO, whether SSL2 is completly removed or disabled, I would have expected
> opensslconf.h to reflect the situation to applications.

In what release?

> But now, it just contains :
>
> #ifndef OPENSSL_NO_SSL3
>
> # define OPENSSL_NO_SSL3
>
> #endif
>
> Was it really intended ?

OpenSSL 1.1.0 has no vestigial SSLv2 code, and so nothing to disable
with OPENSSL_NO_SSL2.  The "OPENSSL_NO_..." macros specify disabled
features, not deleted code.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: About no-ssl2

Richard Moore


On 16 March 2016 at 22:39, Viktor Dukhovni <[hidden email]> wrote:
On Wed, Mar 16, 2016 at 11:32:28PM +0100, Michel wrote:
OpenSSL 1.1.0 has no vestigial SSLv2 code, and so nothing to disable
with OPENSSL_NO_SSL2.  The "OPENSSL_NO_..." macros specify disabled
features, not deleted code.

​That's the major flaw of the current design of flagging when features are disabled rather than when they're present. I'm sure you'll get plenty more reports like this.

Rich.
 

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: About no-ssl2

Viktor Dukhovni
On Wed, Mar 16, 2016 at 10:52:39PM +0000, Richard Moore wrote:

> On 16 March 2016 at 22:39, Viktor Dukhovni <[hidden email]>
> wrote:
>
> > On Wed, Mar 16, 2016 at 11:32:28PM +0100, Michel wrote:
> > OpenSSL 1.1.0 has no vestigial SSLv2 code, and so nothing to disable
> > with OPENSSL_NO_SSL2.  The "OPENSSL_NO_..." macros specify disabled
> > features, not deleted code.
> >
>
> ​That's the major flaw of the current design of flagging when features are
> disabled rather than when they're present. I'm sure you'll get plenty more
> reports like this.

Use feature probing via autoconf, or just:

    #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_NO_SSL2)
    /* SSLv2 available */
    #else
    /* SSLv2 not available */
    #endif

Better yet, drop support for SSLv2, and then you don't care whether OpenSSL
provides it or not.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: About no-ssl2

Michel
In reply to this post by Viktor Dukhovni


-----Message d'origine-----
De : openssl-users [mailto:[hidden email]] De la part de
Viktor Dukhovni
Envoyé : mercredi 16 mars 2016 23:40
À : [hidden email]
Objet : Re: [openssl-users] About no-ssl2

...

> In what release?

Sorry, I forgot to mention : current release 1.1.0 (pre 4)

> The "OPENSSL_NO_..." macros specify disabled features, not deleted code.

Yes I understand this point, but I was thinking it was also used more
generally to inform about [un]available functionalities.

Anyway,

Thanks for your answer Viktor.

Michel.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: About no-ssl2

Richard Moore
In reply to this post by Viktor Dukhovni


On 16 March 2016 at 22:58, Viktor Dukhovni <[hidden email]> wrote:
On Wed, Mar 16, 2016 at 10:52:39PM +0000, Richard Moore wrote:

> On 16 March 2016 at 22:39, Viktor Dukhovni <[hidden email]>
> wrote:
>
> > On Wed, Mar 16, 2016 at 11:32:28PM +0100, Michel wrote:
> > OpenSSL 1.1.0 has no vestigial SSLv2 code, and so nothing to disable
> > with OPENSSL_NO_SSL2.  The "OPENSSL_NO_..." macros specify disabled
> > features, not deleted code.
> >
>
> ​That's the major flaw of the current design of flagging when features are
> disabled rather than when they're present. I'm sure you'll get plenty more
> reports like this.

Use feature probing via autoconf, or just:

    #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_NO_SSL2)
    /* SSLv2 available */
    #else
    /* SSLv2 not available */
    #endif

Better yet, drop support for SSLv2, and then you don't care whether OpenSSL
provides it or not.


​SSL2 is simply an example of this issue, the same applies to others eg. it will no doubt occur in future for NPN since ALPN has replaced it. ​
 
​The problem is the concept itself since it will require every app to have coded into it when a given feature was removed should it attempt to support it when present.

Rich.​

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: About no-ssl2

Salz, Rich
>​The problem is the concept itself since it will require every app to have coded into it when a given feature was removed should it attempt to support it when present.

Yes.

It dates back to the very early days (when SSLeay was developed on clay tablets), when the default was "get it all" and specific define's were used to turn off small specific things.

In the 20 years since then, the world has moved to "safe by default" which is different.

Oh well.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users