提交 87d9cafa 编写于 作者: M Matt Caswell

Remove some SSLv2 references

There were a few remaining references to SSLv2 support which are no longer
relevant now that it has been removed.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
上级 b7fa1f98
...@@ -371,16 +371,16 @@ argument. ...@@ -371,16 +371,16 @@ argument.
The order of operations is significant. This can be used to set either defaults The order of operations is significant. This can be used to set either defaults
or values which cannot be overridden. For example if an application calls: or values which cannot be overridden. For example if an application calls:
SSL_CONF_cmd(ctx, "Protocol", "-SSLv2"); SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
SSL_CONF_cmd(ctx, userparam, uservalue); SSL_CONF_cmd(ctx, userparam, uservalue);
it will disable SSLv2 support by default but the user can override it. If it will disable SSLv3 support by default but the user can override it. If
however the call sequence is: however the call sequence is:
SSL_CONF_cmd(ctx, userparam, uservalue); SSL_CONF_cmd(ctx, userparam, uservalue);
SSL_CONF_cmd(ctx, "Protocol", "-SSLv2"); SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
SSLv2 is B<always> disabled and attempt to override this by the user are SSLv3 is B<always> disabled and attempt to override this by the user are
ignored. ignored.
By checking the return code of SSL_CTX_cmd() it is possible to query if a By checking the return code of SSL_CTX_cmd() it is possible to query if a
...@@ -416,9 +416,9 @@ Set supported signature algorithms: ...@@ -416,9 +416,9 @@ Set supported signature algorithms:
SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256"); SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256");
Enable all protocols except SSLv3 and SSLv2: Enable all protocols except SSLv3:
SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3,-SSLv2"); SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3");
Only enable TLSv1.2: Only enable TLSv1.2:
......
...@@ -141,9 +141,8 @@ This option is no longer implemented and is treated as no op. ...@@ -141,9 +141,8 @@ This option is no longer implemented and is treated as no op.
When choosing a cipher, use the server's preferences instead of the client When choosing a cipher, use the server's preferences instead of the client
preferences. When not set, the SSL server will always follow the clients preferences. When not set, the SSL server will always follow the clients
preferences. When set, the SSLv3/TLSv1 server will choose following its preferences. When set, the SSL/TLS server will choose following its
own preferences. Because of the different protocol, for SSLv2 the server own preferences.
will send its list of preferences to the client and the client chooses.
=item SSL_OP_PKCS1_CHECK_1 =item SSL_OP_PKCS1_CHECK_1
...@@ -154,11 +153,6 @@ will send its list of preferences to the client and the client chooses. ...@@ -154,11 +153,6 @@ will send its list of preferences to the client and the client chooses.
... ...
=item SSL_OP_NO_SSLv2
Do not use the SSLv2 protocol.
=item SSL_OP_NO_SSLv3 =item SSL_OP_NO_SSLv3
Do not use the SSLv3 protocol. Do not use the SSLv3 protocol.
...@@ -200,9 +194,6 @@ OpenSSL always attempts to use secure renegotiation as ...@@ -200,9 +194,6 @@ OpenSSL always attempts to use secure renegotiation as
described in RFC5746. This counters the prefix attack described in described in RFC5746. This counters the prefix attack described in
CVE-2009-3555 and elsewhere. CVE-2009-3555 and elsewhere.
The deprecated and highly broken SSLv2 protocol does not support
renegotiation at all: its use is B<strongly> discouraged.
This attack has far reaching consequences which application writers should be This attack has far reaching consequences which application writers should be
aware of. In the description below an implementation supporting secure aware of. In the description below an implementation supporting secure
renegotiation is referred to as I<patched>. A server not supporting secure renegotiation is referred to as I<patched>. A server not supporting secure
......
...@@ -98,11 +98,6 @@ incomplete. Call SSL_get_error() with the return value B<ret> to find out, ...@@ -98,11 +98,6 @@ incomplete. Call SSL_get_error() with the return value B<ret> to find out,
whether an error occurred or the connection was shut down cleanly whether an error occurred or the connection was shut down cleanly
(SSL_ERROR_ZERO_RETURN). (SSL_ERROR_ZERO_RETURN).
SSLv2 (deprecated) does not support a shutdown alert protocol, so it can
only be detected, whether the underlying connection was closed. It cannot
be checked, whether the closure was initiated by the peer or by something
else.
=item E<lt>0 =item E<lt>0
The read operation was not successful, because either an error occurred The read operation was not successful, because either an error occurred
......
...@@ -86,10 +86,6 @@ was closed. Call SSL_get_error() with the return value B<ret> to find out, ...@@ -86,10 +86,6 @@ was closed. Call SSL_get_error() with the return value B<ret> to find out,
whether an error occurred or the connection was shut down cleanly whether an error occurred or the connection was shut down cleanly
(SSL_ERROR_ZERO_RETURN). (SSL_ERROR_ZERO_RETURN).
SSLv2 (deprecated) does not support a shutdown alert protocol, so it can
only be detected, whether the underlying connection was closed. It cannot
be checked, why the closure happened.
=item E<lt>0 =item E<lt>0
The write operation was not successful, because either an error occurred The write operation was not successful, because either an error occurred
......
...@@ -93,9 +93,7 @@ inside this header file. ...@@ -93,9 +93,7 @@ inside this header file.
=item B<ssl2.h> =item B<ssl2.h>
That's the sub header file dealing with the SSLv2 protocol only. Unused. Present for backwards compatibility only.
I<Usually you don't have to include it explicitly because
it's already included by ssl.h>.
=item B<ssl3.h> =item B<ssl3.h>
...@@ -175,7 +173,7 @@ definitions in the header files. ...@@ -175,7 +173,7 @@ definitions in the header files.
=item char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher); =item char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher);
Returns a string like "C<TLSv1/SSLv3>" or "C<SSLv2>" which indicates the Returns a string like "C<SSLv3>" or "C<TLSv1.2>" which indicates the
SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined
in the specification the first time). in the specification the first time).
......
...@@ -856,7 +856,7 @@ int SSL_copy_session_id(SSL *t, const SSL *f) ...@@ -856,7 +856,7 @@ int SSL_copy_session_id(SSL *t, const SSL *f)
} }
/* /*
* what if we are setup as SSLv2 but want to talk SSLv3 or vice-versa * what if we are setup for one protocol version but want to talk another
*/ */
if (t->method != f->method) { if (t->method != f->method) {
t->method->ssl_free(t); /* cleanup current */ t->method->ssl_free(t); /* cleanup current */
...@@ -1361,7 +1361,6 @@ int SSL_set_cipher_list(SSL *s, const char *str) ...@@ -1361,7 +1361,6 @@ int SSL_set_cipher_list(SSL *s, const char *str)
return 1; return 1;
} }
/* works well for SSLv2, not so good for SSLv3 */
char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
{ {
char *p; char *p;
......
...@@ -555,7 +555,7 @@ struct ssl_cipher_st { ...@@ -555,7 +555,7 @@ struct ssl_cipher_st {
int alg_bits; /* Number of bits for algorithm */ int alg_bits; /* Number of bits for algorithm */
}; };
/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ /* Used to hold SSL/TLS functions */
struct ssl_method_st { struct ssl_method_st {
int version; int version;
int (*ssl_new) (SSL *s); int (*ssl_new) (SSL *s);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册