0

I've tried building (1.1.1g) with -enable-ssl2 flag using configure but it does not enable sslv2 support. I'm wondering if its possible at all to have a newer version of openssl enable comms for sslv2? Or has maybe the source code logic for sslv2 been removed completely?

I appreciate any help. Thanks in advance.

buckc
  • 31
  • 2
  • 6
  • 1
    **NO.** SSLv2 code was removed in 1.1.0 (2016), when the old protocol logic using invididual ad-hoc checks (with 'SMACK' bugs) was replaced by a structured, testable state machine. TLS1.3 was first implemented in 1.1.1 (2018), which is later than 1.1.0. (I assume you know SSLv2 is long broken and completely insecure and should never be used for anything potentially important, but that is a topic for security.SX and not stackoverflow. SSLv3 is also broken and is _disabled_ by default in 1.1.x, but can be enabled, since it uses the same messages and nearly the same logic as TLS1.0.) – dave_thompson_085 Aug 21 '20 at 15:54
  • Ok. That's what I thought after looking through the source (didn't see any sslv2 logic). I enabled sslv3 using enable-ssl3 option as you said above. And yes I am aware of the security implications. Yeah, I saw the state machine in there as well. Looks like a big refactor was done. Thanks again – buckc Aug 21 '20 at 18:11

0 Answers0