Discussion:
Determine if SSLv2 is available at runtime?
Jeffrey Walton
2014-10-10 15:19:38 UTC
Permalink
I need to determine if SSLv2 is available at runtime. I know I can
check for NO_SSL2 at compile time, but I don't recall a runtime
feature check.

Is there a way to determine if the library is capable of SSLv2 at runtime?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
ag@gmail
2014-10-10 15:44:53 UTC
Permalink
openssl s_client -ssl2... maybe?

-ag

--
sent via 100% recycled electrons from my mobile command center.
Post by Jeffrey Walton
I need to determine if SSLv2 is available at runtime. I know I can
check for NO_SSL2 at compile time, but I don't recall a runtime
feature check.
Is there a way to determine if the library is capable of SSLv2 at runtime?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Jeffrey Walton
2014-10-10 16:19:40 UTC
Permalink
Post by ***@gmail
openssl s_client -ssl2... maybe?
Thanks ag. I'm working from within the library in C.

I was thinking something like:

int ssl2_avail = 0;
#ifndef NO_SSL2
if(SSLv2_client_method())
ssl2_avail = 1;
#endif

But its not clear to me if it accurately represents the availability.
For example, what if SSLv2_client_method() returns non-NULL but SSLv2
was disabled in some other way by a distribution.

Jeff
Post by ***@gmail
Post by Jeffrey Walton
I need to determine if SSLv2 is available at runtime. I know I can
check for NO_SSL2 at compile time, but I don't recall a runtime
feature check.
Is there a way to determine if the library is capable of SSLv2 at runtime?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Salz, Rich
2014-10-11 20:33:38 UTC
Permalink
For example, what if SSLv2_client_method() returns non-NULL but SSLv2 was
disabled in some other way by a distribution.
Well then you're hosed. Distro's will do what they want, and there's nothing we can do about it.

Do you have a real-world use-case for SSLv2? The use we see is negligible (well under 1%)
���H���7��m����
)z{,���RǫJ�i��Lj)b����)z{,������M�����B�����&jw��
Jeffrey Walton
2014-10-11 20:49:22 UTC
Permalink
Post by Salz, Rich
For example, what if SSLv2_client_method() returns non-NULL but SSLv2 was
disabled in some other way by a distribution.
Well then you're hosed. Distro's will do what they want, and there's nothing we can do about it.
Here's the case I'm worried/concerned about:

SSL_CTX* ctx = SSL_CTX_new(SSLv2_client_method());
ASSERT(ctx != NULL)

But the distro silently set SSL_OP_NO_SSLv2.
Post by Salz, Rich
Do you have a real-world use-case for SSLv2? The use we see is negligible (well under 1%)
Yes: a compliance tool that looks at server configurations. I'd like
to differentiate between "No SSLv2" by either (1) SSLv2 was not
available in the client for testing vs (2) the server was configured
without SSLv2 support.

Jeff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Loading...