Remove SSLv2 support
The only support for SSLv2 left is receiving a SSLv2 compatible client hello.
Reviewed-by: Richard Levitte <levitte@openssl.org>
diff --git a/apps/ciphers.c b/apps/ciphers.c
index 85760cd..7de7dd3 100644
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -73,7 +73,6 @@
"usage: ciphers args\n",
" -v - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
" -V - even more verbose\n",
-" -ssl2 - SSL2 mode\n",
" -ssl3 - SSL3 mode\n",
" -tls1 - TLS1 mode\n",
NULL
@@ -130,10 +129,6 @@
else if (strcmp(*argv,"-stdname") == 0)
stdname=verbose=1;
#endif
-#ifndef OPENSSL_NO_SSL2
- else if (strcmp(*argv,"-ssl2") == 0)
- meth=SSLv2_client_method();
-#endif
#ifndef OPENSSL_NO_SSL3
else if (strcmp(*argv,"-ssl3") == 0)
meth=SSLv3_client_method();
@@ -210,9 +205,7 @@
int id2 = (int)((id >> 8) & 0xffL);
int id3 = (int)(id & 0xffL);
- if ((id & 0xff000000L) == 0x02000000L)
- BIO_printf(STDout, " 0x%02X,0x%02X,0x%02X - ", id1, id2, id3); /* SSL2 cipher */
- else if ((id & 0xff000000L) == 0x03000000L)
+ if ((id & 0xff000000L) == 0x03000000L)
BIO_printf(STDout, " 0x%02X,0x%02X - ", id2, id3); /* SSL3 cipher */
else
BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */
diff --git a/apps/s_cb.c b/apps/s_cb.c
index 0184125..f3892f9 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -621,8 +621,6 @@
{
switch (version)
{
- case SSL2_VERSION:
- return "SSL 2.0";
case SSL3_VERSION:
return "SSL 3.0";
case TLS1_VERSION:
@@ -649,67 +647,6 @@
str_version = ssl_version_str(version);
- if (version == SSL2_VERSION)
- {
- str_details1 = "???";
-
- if (len > 0)
- {
- switch (((const unsigned char*)buf)[0])
- {
- case 0:
- str_details1 = ", ERROR:";
- str_details2 = " ???";
- if (len >= 3)
- {
- unsigned err = (((const unsigned char*)buf)[1]<<8) + ((const unsigned char*)buf)[2];
-
- switch (err)
- {
- case 0x0001:
- str_details2 = " NO-CIPHER-ERROR";
- break;
- case 0x0002:
- str_details2 = " NO-CERTIFICATE-ERROR";
- break;
- case 0x0004:
- str_details2 = " BAD-CERTIFICATE-ERROR";
- break;
- case 0x0006:
- str_details2 = " UNSUPPORTED-CERTIFICATE-TYPE-ERROR";
- break;
- }
- }
-
- break;
- case 1:
- str_details1 = ", CLIENT-HELLO";
- break;
- case 2:
- str_details1 = ", CLIENT-MASTER-KEY";
- break;
- case 3:
- str_details1 = ", CLIENT-FINISHED";
- break;
- case 4:
- str_details1 = ", SERVER-HELLO";
- break;
- case 5:
- str_details1 = ", SERVER-VERIFY";
- break;
- case 6:
- str_details1 = ", SERVER-FINISHED";
- break;
- case 7:
- str_details1 = ", REQUEST-CERTIFICATE";
- break;
- case 8:
- str_details1 = ", CLIENT-CERTIFICATE";
- break;
- }
- }
- }
-
if (version == SSL3_VERSION ||
version == TLS1_VERSION ||
version == TLS1_1_VERSION ||
@@ -1829,11 +1766,6 @@
case SSL_SECOP_CURVE_CHECK:
nm = "Check Curve";
break;
- case SSL_SECOP_SSL2_COMPAT:
- BIO_puts(sdb->out, "SSLv2 compatible");
- show_bits = 0;
- nm = NULL;
- break;
case SSL_SECOP_VERSION:
BIO_printf(sdb->out, "Version=%s", ssl_version_str(nid));
show_bits = 0;
diff --git a/apps/s_client.c b/apps/s_client.c
index cde7713..1a30ef2 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -335,7 +335,6 @@
BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n");
BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
#endif
- BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
#ifndef OPENSSL_NO_SSL3_METHOD
BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
#endif
@@ -345,9 +344,8 @@
BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
BIO_printf(bio_err," -mtu - set the link layer MTU\n");
- BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
+ BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3 - turn off that protocol\n");
BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
- BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n");
BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
BIO_printf(bio_err," command to see what is available\n");
BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
@@ -912,10 +910,6 @@
meth=TLSv1_client_method();
}
#endif
-#ifndef OPENSSL_NO_SSL2
- else if (strcmp(*argv,"-ssl2") == 0)
- meth=SSLv2_client_method();
-#endif
#ifndef OPENSSL_NO_SSL3_METHOD
else if (strcmp(*argv,"-ssl3") == 0)
meth=SSLv3_client_method();
@@ -2198,14 +2192,12 @@
static void print_stuff(BIO *bio, SSL *s, int full)
{
X509 *peer=NULL;
- char *p;
- static const char *space=" ";
char buf[BUFSIZ];
STACK_OF(X509) *sk;
STACK_OF(X509_NAME) *sk2;
const SSL_CIPHER *c;
X509_NAME *xn;
- int j,i;
+ int i;
#ifndef OPENSSL_NO_COMP
const COMP_METHOD *comp, *expansion;
#endif
@@ -2267,34 +2259,6 @@
{
BIO_printf(bio,"---\nNo client certificate CA names sent\n");
}
- p=SSL_get_shared_ciphers(s,buf,sizeof buf);
- if (p != NULL)
- {
- /* This works only for SSL 2. In later protocol
- * versions, the client does not know what other
- * ciphers (in addition to the one to be used
- * in the current connection) the server supports. */
-
- BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
- j=i=0;
- while (*p)
- {
- if (*p == ':')
- {
- BIO_write(bio,space,15-j%25);
- i++;
- j=0;
- BIO_write(bio,((i%3)?" ":"\n"),1);
- }
- else
- {
- BIO_write(bio,p,1);
- j++;
- }
- p++;
- }
- BIO_write(bio,"\n",1);
- }
ssl_print_sigalgs(bio, s);
ssl_print_tmp_key(bio, s);
diff --git a/apps/s_server.c b/apps/s_server.c
index d7d3ab2..504d3d9 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -508,7 +508,6 @@
BIO_printf(bio_err," -srpvfile file - The verifier file for SRP\n");
BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n");
#endif
- BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n");
#ifndef OPENSSL_NO_SSL3_METHOD
BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n");
#endif
@@ -520,7 +519,6 @@
BIO_printf(bio_err," -timeout - Enable timeouts\n");
BIO_printf(bio_err," -mtu - Set link layer MTU\n");
BIO_printf(bio_err," -chain - Read a certificate chain\n");
- BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n");
BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n");
BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n");
BIO_printf(bio_err," -no_tls1_1 - Just disable TLSv1.1\n");
@@ -1406,13 +1404,6 @@
{ www=2; }
else if (strcmp(*argv,"-HTTP") == 0)
{ www=3; }
-#ifndef OPENSSL_NO_SSL2
- else if (strcmp(*argv,"-ssl2") == 0)
- {
- no_ecdhe=1;
- meth=SSLv2_server_method();
- }
-#endif
#ifndef OPENSSL_NO_SSL3_METHOD
else if (strcmp(*argv,"-ssl3") == 0)
{ meth=SSLv3_server_method(); }
@@ -1768,9 +1759,6 @@
if(strlen(session_id_prefix) >= 32)
BIO_printf(bio_err,
"warning: id_prefix is too long, only one new session will be possible\n");
- else if(strlen(session_id_prefix) >= 16)
- BIO_printf(bio_err,
-"warning: id_prefix is too long if you use SSLv2\n");
if(!SSL_CTX_set_generate_session_id(ctx, generate_session_id))
{
BIO_printf(bio_err,"error setting 'id_prefix'\n");
@@ -1855,9 +1843,6 @@
if(strlen(session_id_prefix) >= 32)
BIO_printf(bio_err,
"warning: id_prefix is too long, only one new session will be possible\n");
- else if(strlen(session_id_prefix) >= 16)
- BIO_printf(bio_err,
- "warning: id_prefix is too long if you use SSLv2\n");
if(!SSL_CTX_set_generate_session_id(ctx2, generate_session_id))
{
BIO_printf(bio_err,"error setting 'id_prefix'\n");
diff --git a/apps/s_time.c b/apps/s_time.c
index 81dad53..6542be2 100644
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -186,7 +186,6 @@
printf("-connect host:port - host:port to connect to (default is %s)\n",SSL_CONNECT_NAME);
#ifdef FIONBIO
printf("-nbio - Run with non-blocking IO\n");
- printf("-ssl2 - Just use SSLv2\n");
printf("-ssl3 - Just use SSLv3\n");
printf("-bugs - Turn on SSL bug compatibility\n");
printf("-new - Just time new connections\n");
@@ -282,10 +281,6 @@
}
else if(strcmp(*argv,"-bugs") == 0)
st_bugs=1;
-#ifndef OPENSSL_NO_SSL2
- else if(strcmp(*argv,"-ssl2") == 0)
- s_time_meth=SSLv2_client_method();
-#endif
#ifndef OPENSSL_NO_SSL3
else if(strcmp(*argv,"-ssl3") == 0)
s_time_meth=SSLv3_client_method();
@@ -430,8 +425,6 @@
ver='t';
else if (ver == SSL3_VERSION)
ver='3';
- else if (ver == SSL2_VERSION)
- ver='2';
else
ver='*';
}
@@ -523,8 +516,6 @@
ver='t';
else if (ver == SSL3_VERSION)
ver='3';
- else if (ver == SSL2_VERSION)
- ver='2';
else
ver='*';
}
