New option no-ssl3-method which removes SSLv3_*method
When no-ssl3 is set only make SSLv3 disabled by default. Retain -ssl3
options for s_client/s_server/ssltest.
When no-ssl3-method is set SSLv3_*method() is removed and all -ssl3
options.
We should document this somewhere, e.g. wiki, FAQ or manual page.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 68c00c5..c84c662 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -167,9 +167,9 @@
#include <openssl/engine.h>
#endif
-static const SSL_METHOD *ssl3_get_client_method(int ver);
static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
+#ifndef OPENSSL_NO_SSL3_METHOD
static const SSL_METHOD *ssl3_get_client_method(int ver)
{
if (ver == SSL3_VERSION)
@@ -182,6 +182,7 @@
ssl_undefined_function,
ssl3_connect,
ssl3_get_client_method)
+#endif
int ssl3_connect(SSL *s)
{
diff --git a/ssl/s3_meth.c b/ssl/s3_meth.c
index cdddb17..4dec703 100644
--- a/ssl/s3_meth.c
+++ b/ssl/s3_meth.c
@@ -60,7 +60,7 @@
#include <openssl/objects.h>
#include "ssl_locl.h"
-static const SSL_METHOD *ssl3_get_method(int ver);
+#ifndef OPENSSL_NO_SSL3_METHOD
static const SSL_METHOD *ssl3_get_method(int ver)
{
if (ver == SSL3_VERSION)
@@ -73,5 +73,4 @@
ssl3_accept,
ssl3_connect,
ssl3_get_method)
-
-
+#endif
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index b553326..876a245 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -170,6 +170,7 @@
#endif
#include <openssl/md5.h>
+#ifndef OPENSSL_NO_SSL3_METHOD
static const SSL_METHOD *ssl3_get_server_method(int ver);
static const SSL_METHOD *ssl3_get_server_method(int ver)
@@ -180,6 +181,12 @@
return(NULL);
}
+IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
+ ssl3_accept,
+ ssl_undefined_function,
+ ssl3_get_server_method)
+#endif
+
#ifndef OPENSSL_NO_SRP
static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
{
@@ -206,11 +213,6 @@
}
#endif
-IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
- ssl3_accept,
- ssl_undefined_function,
- ssl3_get_server_method)
-
int ssl3_accept(SSL *s)
{
BUF_MEM *buf;
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 681dec9..beb00a0 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2235,9 +2235,11 @@
const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
#endif
+#ifndef OPENSSL_NO_SSL3_METHOD
const SSL_METHOD *SSLv3_method(void); /* SSLv3 */
const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */
const SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */
+#endif
const SSL_METHOD *SSLv23_method(void); /* SSLv3 but can rollback to v2 */
const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback to v2 */
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index 028f852..4f2f477 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -776,7 +776,7 @@
#ifndef OPENSSL_NO_SSL2
fprintf(stderr," -ssl2 - use SSLv2\n");
#endif
-#ifndef OPENSSL_NO_SSL3
+#ifndef OPENSSL_NO_SSL3_METHOD
fprintf(stderr," -ssl3 - use SSLv3\n");
#endif
#ifndef OPENSSL_NO_TLS1
@@ -1180,7 +1180,7 @@
}
else if (strcmp(*argv,"-ssl3") == 0)
{
-#ifdef OPENSSL_NO_SSL3
+#ifdef OPENSSL_NO_SSL3_METHOD
no_protocol = 1;
#endif
ssl3 = 1;
