Opened 7 years ago
Last modified 7 years ago
#11782 new Bugs
OpenSSL SSLv3 methods removed
| Reported by: | Owned by: | chris_kohlhoff | |
|---|---|---|---|
| Milestone: | To Be Determined | Component: | asio |
| Version: | Boost 1.58.0 | Severity: | Problem |
| Keywords: | Cc: |
Description
Hi,
asio/ssl/impl/context.ipp you have code that looks loks like: #if defined(OPENSSL_NO_SSL2)
case context::sslv2: case context::sslv2_client: case context::sslv2_server:
boost::asio::detail::throw_error(
boost::asio::error::invalid_argument, "context");
break;
#else defined(OPENSSL_NO_SSL2)
case context::sslv2:
handle_ = ::SSL_CTX_new(::SSLv2_method()); break;
case context::sslv2_client:
handle_ = ::SSL_CTX_new(::SSLv2_client_method()); break;
case context::sslv2_server:
handle_ = ::SSL_CTX_new(::SSLv2_server_method()); break;
#endif defined(OPENSSL_NO_SSL2)
case context::sslv3:
handle_ = ::SSL_CTX_new(::SSLv3_method()); break;
case context::sslv3_client:
handle_ = ::SSL_CTX_new(::SSLv3_client_method()); break;
case context::sslv3_server:
handle_ = ::SSL_CTX_new(::SSLv3_server_method()); break;
Please do the same for the SSLv3 part but then using OPENSSL_NO_SSL3_METHOD
I've just disabled those SSLv3 methods in Debian.
It would also be nice that you just removed things like TLSv1_1_method() method too, and only use SSLv23_method() (or TLS_method()). Also see ticket #10690.
