Re: [Lynx-dev] SSLv23 method gone now

lynx-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] SSLv23 method gone now

From:	Matt Caswell
Subject:	Re: [Lynx-dev] SSLv23 method gone now
Date:	Tue, 19 May 2015 17:02:00 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0

On 19/05/15 15:04, Thorsten Glaser wrote:
> Gisle Vanem dixit:
> 
>> +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
> 
> No. The change is not a property of the version number.
> I have OpenSSL 0.9.7 (plus patches…) without SSLv{2,3}.
> 
> Index: HTTP.c
> ===================================================================
> RCS file: /cvs/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTP.c,v
> retrieving revision 1.26
> retrieving revision 1.27
> diff -u -p -r1.26 -r1.27
> --- HTTP.c      13 Mar 2014 04:46:43 -0000      1.26
> +++ HTTP.c      4 Jan 2015 22:24:27 -0000       1.27
> @@ -124,7 +124,11 @@ SSL *HTGetSSLHandle(void)
>         ssl_opts &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
>  #endif
>         SSLeay_add_ssl_algorithms();
> +#if defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3)
> +       ssl_ctx = SSL_CTX_new(TLSv1_client_method());
> +#else
>         ssl_ctx = SSL_CTX_new(SSLv23_client_method());
> +#endif
>         SSL_CTX_set_options(ssl_ctx, ssl_opts);
>         SSL_CTX_set_default_verify_paths(ssl_ctx);
>         SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, HTSSLCallback);
> 
> This should do the trick.

This is not correct.

Despite their name the SSLv23_*method() functions have nothing to do
with the availability of SSLv2 or SSLv3. What these functions do is
negotiate with the peer the highest available SSL/TLS protocol version
available. The name is as it is for historic reasons. This is a very
common confusion and is the main reason why these names have been
deprecated in the latest dev version of OpenSSL.

The OP suggested this:

+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+       ssl_ctx = SSL_CTX_new(TLSv1_client_method());
+#else
        ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+#endif

This is not quite correct either. TLSv1_client_method() will force
TLS1.0 only. This is the correct approach:

+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+       ssl_ctx = SSL_CTX_new(TLS_client_method());
+#else
        ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+#endif

Alternatively you can continue to use the old SSLv23_client_method()
name - but if you do so you will have to enable deprecated functions.

Matt

[Prev in Thread]

Current Thread

[Next in Thread]

[Lynx-dev] SSLv23 method gone now, Gisle Vanem, 2015/05/19
- Re: [Lynx-dev] SSLv23 method gone now, Thorsten Glaser, 2015/05/19
  - Re: [Lynx-dev] SSLv23 method gone now, Gisle Vanem, 2015/05/19
    - Re: [Lynx-dev] SSLv23 method gone now, Thorsten Glaser, 2015/05/19
  - Re: [Lynx-dev] SSLv23 method gone now, Steffen Nurpmeso, 2015/05/19
    - Re: [Lynx-dev] SSLv23 method gone now, Steffen Nurpmeso, 2015/05/19
- Re: [Lynx-dev] SSLv23 method gone now, Matt Caswell <=

Prev by Date: Re: [Lynx-dev] SSLv23 method gone now
Next by Date: Re: [Lynx-dev] [openssl-dev] On SSLv23_method() drop and TLS_method() introduction
Previous by thread: Re: [Lynx-dev] SSLv23 method gone now
Next by thread: Re: [Lynx-dev] [openssl-dev] On SSLv23_method() drop and TLS_method() introduction
Index(es):
- Date
- Thread