Commit 45f55f6a authored by Kurt Roeckx's avatar Kurt Roeckx
Browse files

Remove SSLv2 support 



The only support for SSLv2 left is receiving a SSLv2 compatible client hello.

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
parent 616f71e4

Configure

+0 −7
Original line number Diff line number Diff line
@@ -847,7 +847,6 @@ PROCESS_ARGS: 
				{

				if ($1 eq "ssl")

					{

					$disabled{"ssl2"} = "option(ssl)";

					$disabled{"ssl3"} = "option(ssl)";

					}

				elsif ($1 eq "tls")
@@ -1062,12 +1061,6 @@ if (defined($disabled{"ec"})) 
	$disabled{"ecdh"} = "forced";

	}



# SSL 2.0 requires MD5 and RSA

if (defined($disabled{"md5"}) || defined($disabled{"rsa"}))

	{

	$disabled{"ssl2"} = "forced";

	}



# SSL 3.0 and TLS requires MD5 and SHA and either RSA or DSA+DH

if (defined($disabled{"md5"}) || defined($disabled{"sha"})

    || (defined($disabled{"rsa"})

INSTALL.VMS

+1 −1
Original line number Diff line number Diff line
@@ -134,7 +134,7 @@ Currently, the logical names supported are: 
                        will not be implemented.  Supported algorithms to

                        do this with are: RSA, DSA, DH, MD2, MD4, MD5, RIPEMD,

                        SHA, DES, MDC2, CR2, RC4, RC5, IDEA, BF, CAST, HMAC,

                        SSL2.  So, for example, having the logical name

                        SSL3.  So, for example, having the logical name

                        OPENSSL_NO_RSA with the value YES means that the

                        LIBCRYPTO.OLB library will not contain an RSA

                        implementation.

Netware/do_tests.pl

+0 −32
Original line number Diff line number Diff line
@@ -270,22 +270,6 @@ sub ssl_tests 
   print( OUT "\n========================================================\n");

   print( OUT "SSL TESTS:\n\n");



   system("ssltest -ssl2 (CLIB_OPT)/>$outFile");

   log_desc("Testing sslv2:");

   log_output("ssltest -ssl2", $outFile);



   system("$ssltest -ssl2 -server_auth (CLIB_OPT)/>$outFile");

   log_desc("Testing sslv2 with server authentication:");

   log_output("$ssltest -ssl2 -server_auth", $outFile);



   system("$ssltest -ssl2 -client_auth (CLIB_OPT)/>$outFile");

   log_desc("Testing sslv2 with client authentication:");

   log_output("$ssltest -ssl2 -client_auth", $outFile);



   system("$ssltest -ssl2 -server_auth -client_auth (CLIB_OPT)/>$outFile");

   log_desc("Testing sslv2 with both client and server authentication:");

   log_output("$ssltest -ssl2 -server_auth -client_auth", $outFile);



   system("ssltest -ssl3 (CLIB_OPT)/>$outFile");

   log_desc("Testing sslv3:");

   log_output("ssltest -ssl3", $outFile);
@@ -318,26 +302,10 @@ sub ssl_tests 
   log_desc("Testing sslv2/sslv3 with both client and server authentication:");

   log_output("$ssltest -server_auth -client_auth", $outFile);



   system("ssltest -bio_pair -ssl2 (CLIB_OPT)/>$outFile");

   log_desc("Testing sslv2 via BIO pair:");

   log_output("ssltest -bio_pair -ssl2", $outFile);



   system("ssltest -bio_pair -dhe1024dsa -v (CLIB_OPT)/>$outFile");

   log_desc("Testing sslv2/sslv3 with 1024 bit DHE via BIO pair:");

   log_output("ssltest -bio_pair -dhe1024dsa -v", $outFile);



   system("$ssltest -bio_pair -ssl2 -server_auth (CLIB_OPT)/>$outFile");

   log_desc("Testing sslv2 with server authentication via BIO pair:");

   log_output("$ssltest -bio_pair -ssl2 -server_auth", $outFile);



   system("$ssltest -bio_pair -ssl2 -client_auth (CLIB_OPT)/>$outFile");

   log_desc("Testing sslv2 with client authentication via BIO pair:");

   log_output("$ssltest -bio_pair -ssl2 -client_auth", $outFile);



   system("$ssltest -bio_pair -ssl2 -server_auth -client_auth (CLIB_OPT)/>$outFile");

   log_desc("Testing sslv2 with both client and server authentication via BIO pair:");

   log_output("$ssltest -bio_pair -ssl2 -server_auth -client_auth", $outFile);



   system("ssltest -bio_pair -ssl3 (CLIB_OPT)/>$outFile");

   log_desc("Testing sslv3 via BIO pair:");

   log_output("ssltest -bio_pair -ssl3", $outFile);

apps/ciphers.c

+1 −8
Original line number Diff line number Diff line
@@ -73,7 +73,6 @@ static const char *ciphers_usage[]={ 
"usage: ciphers args\n",

" -v          - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",

" -V          - even more verbose\n",

" -ssl2       - SSL2 mode\n",

" -ssl3       - SSL3 mode\n",

" -tls1       - TLS1 mode\n",

NULL
@@ -130,10 +129,6 @@ int MAIN(int argc, char **argv) 
		else if (strcmp(*argv,"-stdname") == 0)

			stdname=verbose=1;

#endif

#ifndef OPENSSL_NO_SSL2

		else if (strcmp(*argv,"-ssl2") == 0)

			meth=SSLv2_client_method();

#endif

#ifndef OPENSSL_NO_SSL3

		else if (strcmp(*argv,"-ssl3") == 0)

			meth=SSLv3_client_method();
@@ -210,9 +205,7 @@ int MAIN(int argc, char **argv) 
				int id2 = (int)((id >> 8) & 0xffL);

				int id3 = (int)(id & 0xffL);

				

				if ((id & 0xff000000L) == 0x02000000L)

					BIO_printf(STDout, "     0x%02X,0x%02X,0x%02X - ", id1, id2, id3); /* SSL2 cipher */

				else if ((id & 0xff000000L) == 0x03000000L)

				if ((id & 0xff000000L) == 0x03000000L)

					BIO_printf(STDout, "          0x%02X,0x%02X - ", id2, id3); /* SSL3 cipher */

				else

					BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */

apps/s_cb.c

+0 −68
Original line number Diff line number Diff line
@@ -621,8 +621,6 @@ static const char *ssl_version_str(int version) 
	{

	switch (version)

		{

	case SSL2_VERSION:

		return "SSL 2.0";

	case SSL3_VERSION:

		return "SSL 3.0";

	case TLS1_VERSION:
@@ -649,67 +647,6 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * 


	str_version = ssl_version_str(version);



	if (version == SSL2_VERSION)

		{

		str_details1 = "???";



		if (len > 0)

			{

			switch (((const unsigned char*)buf)[0])

				{

				case 0:

					str_details1 = ", ERROR:";

					str_details2 = " ???";

					if (len >= 3)

						{

						unsigned err = (((const unsigned char*)buf)[1]<<8) + ((const unsigned char*)buf)[2];

						

						switch (err)

							{

						case 0x0001:

							str_details2 = " NO-CIPHER-ERROR";

							break;

						case 0x0002:

							str_details2 = " NO-CERTIFICATE-ERROR";

							break;

						case 0x0004:

							str_details2 = " BAD-CERTIFICATE-ERROR";

							break;

						case 0x0006:

							str_details2 = " UNSUPPORTED-CERTIFICATE-TYPE-ERROR";

							break;

							}

						}



					break;

				case 1:

					str_details1 = ", CLIENT-HELLO";

					break;

				case 2:

					str_details1 = ", CLIENT-MASTER-KEY";

					break;

				case 3:

					str_details1 = ", CLIENT-FINISHED";

					break;

				case 4:

					str_details1 = ", SERVER-HELLO";

					break;

				case 5:

					str_details1 = ", SERVER-VERIFY";

					break;

				case 6:

					str_details1 = ", SERVER-FINISHED";

					break;

				case 7:

					str_details1 = ", REQUEST-CERTIFICATE";

					break;

				case 8:

					str_details1 = ", CLIENT-CERTIFICATE";

					break;

				}

			}

		}



	if (version == SSL3_VERSION ||

	    version == TLS1_VERSION ||

	    version == TLS1_1_VERSION ||
@@ -1829,11 +1766,6 @@ static int security_callback_debug(SSL *s, SSL_CTX *ctx, 
	case SSL_SECOP_CURVE_CHECK:

		nm = "Check Curve";

		break;

	case SSL_SECOP_SSL2_COMPAT:

		BIO_puts(sdb->out, "SSLv2 compatible");

		show_bits = 0;

		nm = NULL;

		break;

	case SSL_SECOP_VERSION:

		BIO_printf(sdb->out, "Version=%s", ssl_version_str(nid));

		show_bits = 0;