diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-02-17 21:37:15 -0500 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-03-01 11:23:45 +0000 |
commit | 56f1acf5ef8a432992497a04792ff4b3b2c6f286 (patch) | |
tree | bf226af21a50e098e3046c03cbbeb3d5e3b9ec49 /Configure | |
parent | 8f651326a5cbec5ca7cf0bad0205d4c87dc8c2d0 (diff) |
Disable SSLv2 default build, default negotiation and weak ciphers.
SSLv2 is by default disabled at build-time. Builds that are not
configured with "enable-ssl2" will not support SSLv2. Even if
"enable-ssl2" is used, users who want to negotiate SSLv2 via the
version-flexible SSLv23_method() will need to explicitly call either
of:
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
as appropriate. Even if either of those is used, or the application
explicitly uses the version-specific SSLv2_method() or its client
or server variants, SSLv2 ciphers vulnerable to exhaustive search
key recovery have been removed. Specifically, the SSLv2 40-bit
EXPORT ciphers, and SSLv2 56-bit DES are no longer available.
Mitigation for CVE-2016-0800
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Diffstat (limited to 'Configure')
-rwxr-xr-x | Configure | 3 |
1 files changed, 2 insertions, 1 deletions
@@ -724,8 +724,9 @@ my %disabled = ( # "what" => "comment" [or special keyword "experimental "md2" => "default", "rc5" => "default", "rfc3779" => "default", - "sctp" => "default", + "sctp" => "default", "shared" => "default", + "ssl2" => "default", "store" => "experimental", "unit-test" => "default", "zlib" => "default", |