3

I need to compile a tls scanning tool and I want to use OpenSSL1.1.0g. The tool uses the library and compiles it in the build file. Unfortunately the tool does not successfully build when my OpenSSL configuration does not explicitly enable ssl3-methods. When I configured OpenSSL with: enable-ssl3-method the tool successfully compile. I then tried to disable ssl3 so I have:

no-ssl3 enable-ssl3-method

It also compiles. I do not get the difference between the two. I need the tool not to negotiate TLS with SSLv3 and also not accept it if it is the only supported version by the server.

Can anyone clarify if this configuration ok? what is the difference between the two options? Will they prevent client support for SSLv3?

Unfortunately I can not even test the version by connecting to a SSLv3 server. The tool parse TLS 1.0 and TLS 1.1 as SSL3, but this is not an issue with me as long as it does not accept handshek with SSLv3.

Improve this question

2 Answers 2

Reset to default
2

The disable-ssl3 (or no-ssl3) option will prevent the SSL 3.0 protocol version from ever being negotiated in the library. This is done by default since OpenSSL 1.1.0 (but of course defaults can be changed).

The enable-ssl3-method option controls what part of the code will be built. If your legacy application links to the SSLv3_method function, then this option must be set if you want to use your legacy application unchanged. I believe that even with this option, no SSLv3.0 will be negotiated if disabled before with disable-ssl3.

Also note that the disable-ssl3-method option implies disable-ssl3.

Applications should use TLS_method instead of the more specific SSLv3_method, TLSv1_method, TLSv1_1_method, etc.

Improve this answer
0

I manually compiled different latest version of openssl package from https://www.openssl.org/source/ using the below command. I understand that sslv3 is disabled using the "Configure" file as mentioned here using "no-ssl" and "no-ssl-method". Still I used below command to disable it.

./config --prefix=/opt/openssl/openssl-$SSLVER --openssldir=/opt/openssl/openssl-$SSLVER no-shared no-ssl no-ssl3 no-ssl3-method no-ubsan no-unit-test no-weak-ssl-ciphers enable-ec_nistp_64_gcc_128 enable-tls1_2

After compiling, it still shows SSLV3 version support in below command. Can someone please let me know why it is still displayed there and how can I compile openssl so that it will never show SSLV3 support in below output.

# ./bin/openssl ciphers -v|grep -i SSLv3 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1 SRP-AES-256-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(256) Mac=SHA1 RSA-PSK-AES256-CBC-SHA SSLv3 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SHA1 DHE-PSK-AES256-CBC-SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1 SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1 SRP-AES-128-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(128) Mac=SHA1 RSA-PSK-AES128-CBC-SHA SSLv3 Kx=RSAPSK Au=RSA Enc=AES(128) Mac=SHA1 DHE-PSK-AES128-CBC-SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1
Improve this answer
1
  • 1
    This is not an answer, and no this value in ciphers -v does NOT mean SSLv3 protocol is supported. It means each listed ciphersuite was defined in SSLv3 but is also supported in later/higher protocols, through 1.2, which are still supported. Also your formatting was unreadable, so I fixed it; please read and follow the help shown when you click the ? icon at the top of the edit window. Commented Sep 8, 2021 at 2:27

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.