diff options
author | Kurt Roeckx <kurt@roeckx.be> | 2014-11-30 15:35:22 +0100 |
---|---|---|
committer | Kurt Roeckx <kurt@roeckx.be> | 2014-12-04 11:55:03 +0100 |
commit | 45f55f6a5bdcec411ef08a6f8aae41d5d3d234ad (patch) | |
tree | 56dba3e74061df914c5d4fa2faf89e7a24c6457c /apps | |
parent | 616f71e486d693991b594439c884ec624b32c2d4 (diff) |
Remove SSLv2 support
The only support for SSLv2 left is receiving a SSLv2 compatible client hello.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'apps')
-rw-r--r-- | apps/ciphers.c | 9 | ||||
-rw-r--r-- | apps/s_cb.c | 68 | ||||
-rw-r--r-- | apps/s_client.c | 40 | ||||
-rw-r--r-- | apps/s_server.c | 15 | ||||
-rw-r--r-- | apps/s_time.c | 9 |
5 files changed, 3 insertions, 138 deletions
diff --git a/apps/ciphers.c b/apps/ciphers.c index 85760cd42d..7de7dd3b38 100644 --- a/apps/ciphers.c +++ b/apps/ciphers.c @@ -73,7 +73,6 @@ static const char *ciphers_usage[]={ "usage: ciphers args\n", " -v - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n", " -V - even more verbose\n", -" -ssl2 - SSL2 mode\n", " -ssl3 - SSL3 mode\n", " -tls1 - TLS1 mode\n", NULL @@ -130,10 +129,6 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-stdname") == 0) stdname=verbose=1; #endif -#ifndef OPENSSL_NO_SSL2 - else if (strcmp(*argv,"-ssl2") == 0) - meth=SSLv2_client_method(); -#endif #ifndef OPENSSL_NO_SSL3 else if (strcmp(*argv,"-ssl3") == 0) meth=SSLv3_client_method(); @@ -210,9 +205,7 @@ int MAIN(int argc, char **argv) int id2 = (int)((id >> 8) & 0xffL); int id3 = (int)(id & 0xffL); - if ((id & 0xff000000L) == 0x02000000L) - BIO_printf(STDout, " 0x%02X,0x%02X,0x%02X - ", id1, id2, id3); /* SSL2 cipher */ - else if ((id & 0xff000000L) == 0x03000000L) + if ((id & 0xff000000L) == 0x03000000L) BIO_printf(STDout, " 0x%02X,0x%02X - ", id2, id3); /* SSL3 cipher */ else BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */ diff --git a/apps/s_cb.c b/apps/s_cb.c index 0184125447..f3892f92e6 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -621,8 +621,6 @@ static const char *ssl_version_str(int version) { switch (version) { - case SSL2_VERSION: - return "SSL 2.0"; case SSL3_VERSION: return "SSL 3.0"; case TLS1_VERSION: @@ -649,67 +647,6 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * str_version = ssl_version_str(version); - if (version == SSL2_VERSION) - { - str_details1 = "???"; - - if (len > 0) - { - switch (((const unsigned char*)buf)[0]) - { - case 0: - str_details1 = ", ERROR:"; - str_details2 = " ???"; - if (len >= 3) - { - unsigned err = (((const unsigned char*)buf)[1]<<8) + ((const unsigned char*)buf)[2]; - - switch (err) - { - case 0x0001: - str_details2 = " NO-CIPHER-ERROR"; - break; - case 0x0002: - str_details2 = " NO-CERTIFICATE-ERROR"; - break; - case 0x0004: - str_details2 = " BAD-CERTIFICATE-ERROR"; - break; - case 0x0006: - str_details2 = " UNSUPPORTED-CERTIFICATE-TYPE-ERROR"; - break; - } - } - - break; - case 1: - str_details1 = ", CLIENT-HELLO"; - break; - case 2: - str_details1 = ", CLIENT-MASTER-KEY"; - break; - case 3: - str_details1 = ", CLIENT-FINISHED"; - break; - case 4: - str_details1 = ", SERVER-HELLO"; - break; - case 5: - str_details1 = ", SERVER-VERIFY"; - break; - case 6: - str_details1 = ", SERVER-FINISHED"; - break; - case 7: - str_details1 = ", REQUEST-CERTIFICATE"; - break; - case 8: - str_details1 = ", CLIENT-CERTIFICATE"; - break; - } - } - } - if (version == SSL3_VERSION || version == TLS1_VERSION || version == TLS1_1_VERSION || @@ -1829,11 +1766,6 @@ static int security_callback_debug(SSL *s, SSL_CTX *ctx, case SSL_SECOP_CURVE_CHECK: nm = "Check Curve"; break; - case SSL_SECOP_SSL2_COMPAT: - BIO_puts(sdb->out, "SSLv2 compatible"); - show_bits = 0; - nm = NULL; - break; case SSL_SECOP_VERSION: BIO_printf(sdb->out, "Version=%s", ssl_version_str(nid)); show_bits = 0; diff --git a/apps/s_client.c b/apps/s_client.c index cde7713300..1a30ef2241 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -335,7 +335,6 @@ static void sc_usage(void) BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n"); BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N); #endif - BIO_printf(bio_err," -ssl2 - just use SSLv2\n"); #ifndef OPENSSL_NO_SSL3_METHOD BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); #endif @@ -345,9 +344,8 @@ static void sc_usage(void) BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n"); BIO_printf(bio_err," -mtu - set the link layer MTU\n"); - BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); + BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3 - turn off that protocol\n"); BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); - BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n"); BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n"); BIO_printf(bio_err," command to see what is available\n"); BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n"); @@ -912,10 +910,6 @@ static char *jpake_secret = NULL; meth=TLSv1_client_method(); } #endif -#ifndef OPENSSL_NO_SSL2 - else if (strcmp(*argv,"-ssl2") == 0) - meth=SSLv2_client_method(); -#endif #ifndef OPENSSL_NO_SSL3_METHOD else if (strcmp(*argv,"-ssl3") == 0) meth=SSLv3_client_method(); @@ -2198,14 +2192,12 @@ end: static void print_stuff(BIO *bio, SSL *s, int full) { X509 *peer=NULL; - char *p; - static const char *space=" "; char buf[BUFSIZ]; STACK_OF(X509) *sk; STACK_OF(X509_NAME) *sk2; const SSL_CIPHER *c; X509_NAME *xn; - int j,i; + int i; #ifndef OPENSSL_NO_COMP const COMP_METHOD *comp, *expansion; #endif @@ -2267,34 +2259,6 @@ static void print_stuff(BIO *bio, SSL *s, int full) { BIO_printf(bio,"---\nNo client certificate CA names sent\n"); } - p=SSL_get_shared_ciphers(s,buf,sizeof buf); - if (p != NULL) - { - /* This works only for SSL 2. In later protocol - * versions, the client does not know what other - * ciphers (in addition to the one to be used - * in the current connection) the server supports. */ - - BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n"); - j=i=0; - while (*p) - { - if (*p == ':') - { - BIO_write(bio,space,15-j%25); - i++; - j=0; - BIO_write(bio,((i%3)?" ":"\n"),1); - } - else - { - BIO_write(bio,p,1); - j++; - } - p++; - } - BIO_write(bio,"\n",1); - } ssl_print_sigalgs(bio, s); ssl_print_tmp_key(bio, s); diff --git a/apps/s_server.c b/apps/s_server.c index d7d3ab25d6..504d3d9f07 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -508,7 +508,6 @@ static void sv_usage(void) BIO_printf(bio_err," -srpvfile file - The verifier file for SRP\n"); BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n"); #endif - BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); #ifndef OPENSSL_NO_SSL3_METHOD BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); #endif @@ -520,7 +519,6 @@ static void sv_usage(void) BIO_printf(bio_err," -timeout - Enable timeouts\n"); BIO_printf(bio_err," -mtu - Set link layer MTU\n"); BIO_printf(bio_err," -chain - Read a certificate chain\n"); - BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n"); BIO_printf(bio_err," -no_tls1_1 - Just disable TLSv1.1\n"); @@ -1406,13 +1404,6 @@ int MAIN(int argc, char *argv[]) { www=2; } else if (strcmp(*argv,"-HTTP") == 0) { www=3; } -#ifndef OPENSSL_NO_SSL2 - else if (strcmp(*argv,"-ssl2") == 0) - { - no_ecdhe=1; - meth=SSLv2_server_method(); - } -#endif #ifndef OPENSSL_NO_SSL3_METHOD else if (strcmp(*argv,"-ssl3") == 0) { meth=SSLv3_server_method(); } @@ -1768,9 +1759,6 @@ bad: if(strlen(session_id_prefix) >= 32) BIO_printf(bio_err, "warning: id_prefix is too long, only one new session will be possible\n"); - else if(strlen(session_id_prefix) >= 16) - BIO_printf(bio_err, -"warning: id_prefix is too long if you use SSLv2\n"); if(!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) { BIO_printf(bio_err,"error setting 'id_prefix'\n"); @@ -1855,9 +1843,6 @@ bad: if(strlen(session_id_prefix) >= 32) BIO_printf(bio_err, "warning: id_prefix is too long, only one new session will be possible\n"); - else if(strlen(session_id_prefix) >= 16) - BIO_printf(bio_err, - "warning: id_prefix is too long if you use SSLv2\n"); if(!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) { BIO_printf(bio_err,"error setting 'id_prefix'\n"); diff --git a/apps/s_time.c b/apps/s_time.c index 81dad53243..6542be2827 100644 --- a/apps/s_time.c +++ b/apps/s_time.c @@ -186,7 +186,6 @@ static void s_time_usage(void) printf("-connect host:port - host:port to connect to (default is %s)\n",SSL_CONNECT_NAME); #ifdef FIONBIO printf("-nbio - Run with non-blocking IO\n"); - printf("-ssl2 - Just use SSLv2\n"); printf("-ssl3 - Just use SSLv3\n"); printf("-bugs - Turn on SSL bug compatibility\n"); printf("-new - Just time new connections\n"); @@ -282,10 +281,6 @@ static int parseArgs(int argc, char **argv) } else if(strcmp(*argv,"-bugs") == 0) st_bugs=1; -#ifndef OPENSSL_NO_SSL2 - else if(strcmp(*argv,"-ssl2") == 0) - s_time_meth=SSLv2_client_method(); -#endif #ifndef OPENSSL_NO_SSL3 else if(strcmp(*argv,"-ssl3") == 0) s_time_meth=SSLv3_client_method(); @@ -430,8 +425,6 @@ int MAIN(int argc, char **argv) ver='t'; else if (ver == SSL3_VERSION) ver='3'; - else if (ver == SSL2_VERSION) - ver='2'; else ver='*'; } @@ -523,8 +516,6 @@ next: ver='t'; else if (ver == SSL3_VERSION) ver='3'; - else if (ver == SSL2_VERSION) - ver='2'; else ver='*'; } |