Re: [openssl-dev] [openssl.org #4612] Appcrash on SSL_CTX_new(SSLv2_server_method()) on windows 7 x64 with OpenSSL-1.0.1t
10 views
Skip to first unread message
Viktor Kolodrevskiy
Aug 3, 2016, 11:12:49 AM8/3/16
to
Hi,
If I want to enable ssl2 under windows build, will need to pass parameters:
no-asm enable-ssl2 -DOPENSSL_USE_IPV6=0 VC-WIN32
So if I will need to build openssl under linux, parameters should be:
no-asm enable-ssl2 -DOPENSSL_USE_IPV6=0
Is that right?
On Jul 11, 2016, at 20:20, Kurt Cancemi via RT <r...@openssl.org> wrote:Hello,
In 1.0.1s OpenSSL disabled SSLv2 by default in the build. So use perl Configure no-asm enable-ssl2 -DOPENSSL_USE_IPV6=0 VC-WIN32
Excerpt from CHANGES
"Changes between 1.0.1r and 1.0.1s [1 Mar 2016]"
“
Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
is by default disabled at build-time. Builds that are not configured with
"enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
will need to explicitly call either of:
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
as appropriate. Even if either of those is used, or the application
explicitly uses the version-specific SSLv2_method() or its client and
server variants, SSLv2 ciphers vulnerable to exhaustive search key
recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
ciphers, and SSLv2 56-bit DES are no longer available.
(CVE-2016-0800)”
I highly advise you to stay clear of SSLv2 as it has numerous flaws. You are receiving crashes because SSLv2_server_method() returns NULL and SSL_CTX_new() returns NULL because the input argument (the server method) is NULL. You should check the return value of SSL_CTX_new() no matter what because it can fail.
Kurt Cancemi
ku...@x64architecture.comOn Jul 11, 2016, at 08:10, Dmytro Shamatrin via RT <r...@openssl.org> wrote:
Appcrash on SSL_CTX_new(SSLv2_server_method()) on windows 7 x64 with OpenSSL-1.0.1t
After upgrade from OpenSSL-1.0.1L version to 1.0.1t we got Appcrash on windows machine. After investigation I found that it started to happen after R version.
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4612
Please log in as guest with password guest if prompted
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Viktor Kolodrevskiy via RT
Aug 3, 2016, 11:13:18 AM8/3/16
to
Hi,
Is that right?
> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4612 <http://rt.openssl.org/Ticket/Display.html?id=4612>
> Please log in as guest with password guest if prompted
>
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev <https://mta.openssl.org/mailman/listinfo/openssl-dev>
Kaduk, Ben via RT
Aug 3, 2016, 12:03:50 PM8/3/16
to
On 08/03/2016 10:12 AM, Viktor Kolodrevskiy wrote:
> Hi,
>
> If I want to enable ssl2 under windows build, will need to pass
> parameters:
> no-asm enable-ssl2 -DOPENSSL_USE_IPV6=0 VC-WIN32
>
> So if I will need to build openssl under linux, parameters should be:
> no-asm enable-ssl2 -DOPENSSL_USE_IPV6=0
>
> Is that right?
>
You still need to pass an os/compiler argument to Configure for linux,
> Hi,
>
> If I want to enable ssl2 under windows build, will need to pass
> parameters:
> no-asm enable-ssl2 -DOPENSSL_USE_IPV6=0 VC-WIN32
>
> So if I will need to build openssl under linux, parameters should be:
> no-asm enable-ssl2 -DOPENSSL_USE_IPV6=0
>
> Is that right?
>
something like linux-x86_64 or linux-elf, presumably.
If you use config instead of Configure, there is autodetection of which
os/compiler to use, so no os/compiler argument is needed.
-Ben
Reply all
Reply to author
Forward
0 new messages