On 27/06/16 20:49, Michael Wojcik wrote: > The simplest fix is to change "SSLv2_client_method" to > "SSLv23_client_method". (Inserting a single character; can't get much > simpler than that.) But since you really don't want to talk to a server > that only supports SSLv3, you might as well use TLSv1_client_method > instead, or even better TLSv1_2_client_method. Since we have no idea > what your program does, or what it has to interoperate with, we can't > offer any more-specific advice. I would always recommend using the version flexible SSLv23_client_method() over the version fixed TLSv1_client_method() and TLSv1_2_client_method(). If you use TLSv1_client_method() then you can only ever talk TLSv1.0, even if both client and server are actually capable of negotiating something better. Using TLSv1_2_client_method() is kind of ok (except of course you deny yourself the possibility of talking to servers that don't support TLSv1.2 yet) - but if you ever upgrade OpenSSL to some future version that supports TLS1.3 (or later!) then, if you forget to upgrade your app at the same time, you are stuck with a less than optimal TLS version. Therefore use SSLv23_client_method() and disable any versions that you do not want to use with SSL_CTX_set_options()/SSL_set_options(): https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html Of course I echo what everyone else has said about not using SSLv2_client_method() at all!! Matt
