Added to all the weaknesses in SSLv3, the only supported cipher suites are either vulnerable or deprecated and not advisable. SSL_RSA_WITH_NULL_MD5 NULL-MD5 SSL_RSA_WITH_NULL_SHA NULL-SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5 SSL_RSA_WITH_RC4_128_MD5 RC4-MD5 SSL_RSA_WITH_RC4_128_SHA RC4-SHA SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5 SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA SSL_DH_DSS_WITH_DES_CBC_SHA DH-DSS-DES-CBC-SHA SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA DH-DSS-DES-CBC3-SHA SSL_DH_RSA_WITH_DES_CBC_SHA DH-RSA-DES-CBC-SHA SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA DH-RSA-DES-CBC3-SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA SSL_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA SSL_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5 SSL_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP-ADH-DES-CBC-SHA SSL_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented. SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented. SSL_FORTEZZA_KEA_WITH_RC4_128_SHA Not implemented. On Wed, 2021-10-06 at 11:25 -0700, Kory Hamzeh wrote: > Fair enough. We are not using SSLv3, the code just made reference to > the method. I will compile it out. > > Thanks! > > > > On Oct 5, 2021, at 5:09 PM, Viktor Dukhovni < > > openssl-users@xxxxxxxxxxxx> wrote: > > > > On Tue, Oct 05, 2021 at 03:49:48PM -0700, Kory Hamzeh wrote: > > > > > It looks like SSLv3 is not built by default in OpenSSL 3.0.0. At > > > least > > > SSLv3_method() is not define, and looking at the conditional > > > compilation of that function, it makes sense. > > > > > > What command line option do I pass the Configure script to enable > > > it? > > > I tried enable-sslv3 and enable-SSLv3. It complained about both. > > > I > > > need to compile some old code (Python 2.7) which we will abandon > > > soon. > > > > Don't enable SSLv3 in OpenSSL 3.0, that's not doing anyone a > > favour. > > Better to instead build the code in question against OpenSSL 1.1.1, > > if > > SSLv3 actually needs to be *used*. It is not a problem to install > > both > > OpenSSL 1.1.1 and OpenSSL 3.0 side-by-side (shared libraries) on > > systems > > with support for symbol versioning. > > > > If the only purpose of SSLv3 is to get code to compile, that will > > not > > in fact ever run, or that can reasonably just return an error when > > it runs, you can enable the method stubs, without enabling support > > for the protocol: > > > > ./Configure enable-ssl3-method ... > > > > The default is to disable both "ssl3" and "ssl3-protocol" and I > > would > > strongly encourage you to not enable both. Nobody should be > > actually > > using SSLv3 anymore, but exporting function stubs that will error > > out > > makes some sense if required to support toolkits that wrap the > > OpenSSL > > API and still want to expose SSLv3 methods. > > > > -- > > Viktor. > >
