Re: [openssl-users] Getting error 'SSLv2_client_method': identifier not found
Salz, Rich
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Michael Wojcik
SSLv2 is no longer supported, and neither are the SSLv2_*_method calls. (And yes, this causes build problems when updating to newer OpenSSL builds; and while that causes some pain, it was the Right Thing to do.)
As Rich said, don't use SSLv2. Don't use SSLv3. If you can help it, don't use anything older than TLSv1.2.
The simplest fix is to change "SSLv2_client_method" to "SSLv23_client_method". (Inserting a single character; can't get much simpler than that.) But since you really don't want to talk to a server that only supports SSLv3, you might as well use TLSv1_client_method instead, or even better TLSv1_2_client_method. Since we have no idea what your program does, or what it has to interoperate with, we can't offer any more-specific advice.
SSLv23_client_method will use the old SSL-format ClientHello, but will (barring more-restrictive options set using SSL_CTX_set_options or similar) use later protocol versions for the actual conversation if the server supports them.
All that said, by far the best approach is to learn how TLS and OpenSSL work, so you can make an informed decision. TLS is agonizingly complicated and a minefield of security holes, and TLS applications maintained by people who don't have the necessary specialized knowledge are very likely to be severely insecure. For example, they may try to use SSLv2, which has been broken for a couple of decades. (That is, it's been broken for as long as it existed, but it's been widely known to be broken since the mid-1990s.)
Feistyduck.com has a free "OpenSSL cookbook" ebook which is a decent introduction.
Michael Wojcik
Technology Specialist, Micro Focus
From: openssl-users [mailto:openssl-us...@openssl.org]
On Behalf Of Tony Girgenti
Sent: Monday, June 27, 2016 13:09
To: openss...@openssl.org
Subject: [openssl-users] Getting error 'SSLv2_client_method': identifier not found
Hello,
I migrated a Visual Studio 6.0 C++ program to Visual Studio 2015 C++. The program uses OpenSSL. I have downloaded and installed OpenSSL-Win32 version 1.0.2g.
I’m trying to figure what I need to do to fix the error I am getting on this line: m_pSSLctx = SSL_CTX_new(SSLv2_client_method());
Tony Girgenti
Michael,
Thank you for your explanation of where my program is and what I should do to continue using some kind of SSL.
I first need to figure out how this program uses SSL. Then I can go ahead and try to use TLSv1.2.
I did try to use "SSLv23_client_method" and got the same compile error “LNK2026 module unsafe for SAFESEH image.”.
Thanks,
Tony
Jakob Bohm
"Unsafe for SAFESEH" is a completely different error:
It means that at least one file or library in your program was either not compiled with the /SAFESEH switch or is an assembler module without the magic incantation to tell the linker it contains no Structured Exeption Handlers. In either case, it only occurs if you try to link with the /SAFESEH linker switch despite the inclusion of such object file(s).
Michael,
Thank you for your explanation of where my program is and what I should do to continue using some kind of SSL.
I first need to figure out how this program uses SSL. Then I can go ahead and try to use TLSv1.2.
I did try to use "SSLv23_client_method" and got the same compile error “LNK2026 module unsafe for SAFESEH image.”.
From: openssl-users [mailto:openssl-us...@openssl.org] On Behalf Of Michael Wojcik
Sent: Monday, June 27, 2016 3:50 PM
To: openss...@openssl.org
Subject: Re: [openssl-users] Getting error 'SSLv2_client_method': identifier not found
SSLv2 is no longer supported, and neither are the SSLv2_*_method calls. (And yes, this causes build problems when updating to newer OpenSSL builds; and while that causes some pain, it was the Right Thing to do.)
As Rich said, don't use SSLv2. Don't use SSLv3. If you can help it, don't use anything older than TLSv1.2.
The simplest fix is to change "SSLv2_client_method" to "SSLv23_client_method". (Inserting a single character; can't get much simpler than that.) But since you really don't want to talk to a server that only supports SSLv3, you might as well use TLSv1_client_method instead, or even better TLSv1_2_client_method. Since we have no idea what your program does, or what it has to interoperate with, we can't offer any more-specific advice.
SSLv23_client_method will use the old SSL-format ClientHello, but will (barring more-restrictive options set using SSL_CTX_set_options or similar) use later protocol versions for the actual conversation if the server supports them.
All that said, by far the best approach is to learn how TLS and OpenSSL work, so you can make an informed decision. TLS is agonizingly complicated and a minefield of security holes, and TLS applications maintained by people who don't have the necessary specialized knowledge are very likely to be severely insecure. For example, they may try to use SSLv2, which has been broken for a couple of decades. (That is, it's been broken for as long as it existed, but it's been widely known to be broken since the mid-1990s.)
Feistyduck.com has a free "OpenSSL cookbook" ebook which is a decent introduction.
From: openssl-users [mailto:openssl-us...@openssl.org] On Behalf Of Tony Girgenti
Sent: Monday, June 27, 2016 13:09
To: openss...@openssl.org
Subject: [openssl-users] Getting error 'SSLv2_client_method': identifier not found
Hello,
I migrated a Visual Studio 6.0 C++ program to Visual Studio 2015 C++. The program uses OpenSSL. I have downloaded and installed OpenSSL-Win32 version 1.0.2g.
I’m trying to figure what I need to do to fix the error I am getting on this line: m_pSSLctx = SSL_CTX_new(SSLv2_client_method());
Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
Tony Girgenti
Thanks for your help.
If I change the statement to m_pSSLctx = SSL_CTX_new(SSLv3_client_method());
The compiler gives the error: "LNK2026 module unsafe for SAFESEH image."
Can you give more information about how to not use SSLv2?
Thanks,
Tony
-----Original Message-----
From: openssl-users [mailto:openssl-us...@openssl.org] On Behalf Of
Salz, Rich
Sent: Monday, June 27, 2016 3:20 PM
To: openss...@openssl.org
Subject: [SPAM] Re: [openssl-users] Getting error 'SSLv2_client_method':
identifier not found
Matt Caswell
On 27/06/16 20:49, Michael Wojcik wrote:
> The simplest fix is to change "SSLv2_client_method" to
> "SSLv23_client_method". (Inserting a single character; can't get much
> simpler than that.) But since you really don't want to talk to a server
> that only supports SSLv3, you might as well use TLSv1_client_method
> instead, or even better TLSv1_2_client_method. Since we have no idea
> what your program does, or what it has to interoperate with, we can't
> offer any more-specific advice.
SSLv23_client_method() over the version fixed TLSv1_client_method() and
TLSv1_2_client_method(). If you use TLSv1_client_method() then you can
only ever talk TLSv1.0, even if both client and server are actually
capable of negotiating something better. Using TLSv1_2_client_method()
is kind of ok (except of course you deny yourself the possibility of
talking to servers that don't support TLSv1.2 yet) - but if you ever
upgrade OpenSSL to some future version that supports TLS1.3 (or later!)
then, if you forget to upgrade your app at the same time, you are stuck
with a less than optimal TLS version.
Therefore use SSLv23_client_method() and disable any versions that you
do not want to use with SSL_CTX_set_options()/SSL_set_options():
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html
Of course I echo what everyone else has said about not using
SSLv2_client_method() at all!!
Matt
Michael Wojcik
> Sent: Monday, June 27, 2016 15:53
> To: openss...@openssl.org
> Subject: Re: [openssl-users] Getting error 'SSLv2_client_method': identifier
> not found
>
> SSLv23_client_method() over the version fixed TLSv1_client_method() and
> TLSv1_2_client_method().
--
Technology Specialist, Micro Focus
Tony Girgenti
Is OpenSSL compatible with SAFESEH(safe exception handling feature)?
https://msdn.microsoft.com/en-us/library/100ezk17.aspx
Thanks,
Tony
Michael Wojcik
> Sent: Monday, June 27, 2016 16:48
> Subject: Re: [openssl-users] Getting error 'SSLv2_client_method': identifier
> not found
>
For some time now, OpenSSL's assembly modules have had SAFESEH gubbins wedged into them as necessary. See e.g. the ::safeseh subroutine in crypto/perlasm/x86nasm.pl in the OpenSSL sources.
I just linked a little test program against a library built with OpenSSL 1.0.2g with SAFESEH enabled. No warnings, and dumpbin /loadconfig shows that it has a SafeSEH table.
In your original note you said that you "downloaded and installed OpenSSL 1.0.2g". It's not clear what that means. Are you building using libraries created by someone else?
Tony Girgenti
Thanks for your help.
I forget where I downloaded OpenSSL from, but all I did was download a zip
file and unzipped all the file to a folder called: OpenSSL-Win32.
From there, I simply pointed my Visual Studio project properties directory
search for includes and lib files to that folder. I did not compile or
change anything in that folder.
Thanks,
Tony
Michael Wojcik
> Subject: Re: [openssl-users] Getting error 'SSLv2_client_method': identifier
> not found
>
> file and unzipped all the file to a folder called: OpenSSL-Win32.
>
> From there, I simply pointed my Visual Studio project properties directory
> search for includes and lib files to that folder. I did not compile or
> change anything in that folder.
Of course this points to one of the (many) problems with TLS: It's not easy to get it into your application. Open-source implementations (OpenSSL, GnuTLS, LibreSSL, NSS, CyaSSL, ...) are not trivial to work with. Many OSes come with some TLS implementation installed by default or as an add-on package, but then you have to work with their API, build, configuration, etc, which often raises issues with portability; and if, say, you're trying to use an application (or other component) that's built to use OpenSSL, then Microsoft's SChannel isn't going to do you much good.
That said, it's not that hard to read the instructions, download the OpenSSL tarball, verify its signature, and build it.
Then all you have to worry about are the myriad difficulties of using the OpenSSL API, dealing with the wide array of SSL and TLS protocol and ciphersuite pitfalls, navigating the nightmarish bog of X.509-certificate PKIs, diagnosing obscure failures, educating users, ...
TLS is a solution that asymptotically approaches being worse than the problem. (Now I want that on a t-shirt.) But at the moment there are no viable alternatives for most use cases.
Jeffrey Walton
<Michael...@microfocus.com> wrote:
> SSLv2 is no longer supported, and neither are the SSLv2_*_method calls. (And
> yes, this causes build problems when updating to newer OpenSSL builds; and
> while that causes some pain, it was the Right Thing to do.)
>
> As Rich said, don't use SSLv2. Don't use SSLv3. If you can help it, don't
> use anything older than TLSv1.2.
yanked SSLv2 support. Iit was warned about use cases like this.
When SSLv2 was re-added to return NULL because, it still omitted
OPENSSL_NO_SSL2.
There was no need to break existing client code in this case.
Matt Caswell
On 29/06/16 01:03, Jeffrey Walton wrote:
> On Mon, Jun 27, 2016 at 3:49 PM, Michael Wojcik
> <Michael...@microfocus.com> wrote:
>> SSLv2 is no longer supported, and neither are the SSLv2_*_method calls. (And
>> yes, this causes build problems when updating to newer OpenSSL builds; and
>> while that causes some pain, it was the Right Thing to do.)
>>
>> As Rich said, don't use SSLv2. Don't use SSLv3. If you can help it, don't
>> use anything older than TLSv1.2.
>
> The library should have unconditionally set OPENSSL_NO_SSL2 when it
> yanked SSLv2 support. Iit was warned about use cases like this.
>
> When SSLv2 was re-added to return NULL because, it still omitted
> OPENSSL_NO_SSL2.
From my 1.0.2 opensslconf.h:
#ifndef OPENSSL_NO_SSL2
# define OPENSSL_NO_SSL2
#endif
Matt
Michael Wojcik
> Sent: Tuesday, June 28, 2016 18:04
> To: OpenSSL Users
> not found
>
> <Michael...@microfocus.com> wrote:
> > SSLv2 is no longer supported, and neither are the SSLv2_*_method calls.
> (And
> > yes, this causes build problems when updating to newer OpenSSL builds;
> and
> > while that causes some pain, it was the Right Thing to do.)
>
> yanked SSLv2 support. Iit was warned about use cases like this.
>
> When SSLv2 was re-added to return NULL because, it still omitted
> OPENSSL_NO_SSL2.
>
At the moment, I'm inclined to prefer a compile-time error to a run-time one in this case. I suspect there's a fair bit of code out there which doesn't check for a null return from the *_method calls, leading to some puzzlement on the part of developers. (I'll agree re OPENSSL_NO_SSL2; that ought to be defined.)
But perhaps tomorrow I'll feel differently. There's an argument to be made either way.
--
Michael Wojcik
Technology Specialist, Micro Focus