Remove support for SSLv2 Client Hello#28041
Conversation
kroeckx
force-pushed
the
sslv2
branch
3 times, most recently
from
27c375f to
2d67d58
Compare
github-actions
bot
added
the
severity: fips change
|
SSLv2 support itself was dropped in 1.1.0 (2016). I think the reason for keeping the SSLv2 compatible client hello support was that 0.9.8 used to do that by default. But I think it's about time to remove this. |
|
We have this in ssl_local.h: That is, it's to say it's not an SSLv2 cipher having 3 bytes. And in include/openssl/ssl3.h all ciphers starts with 0x0300. When this patch is applied, in theory we could remove that 0x3000 from all the cipher values. But I'm not sure now is a good time to do that as it's a public header. |
paulidale
left a comment
paulidale
left a comment
There was a problem hiding this comment.
Nice work. One suggestion.
paulidale
left a comment
paulidale
left a comment
There was a problem hiding this comment.
I'm more than happy to see the end of this one.
paulidale
added
branch: master
That, but also Internet Explorer 6 sent the SSLv2 compatible ClientHello by default. Windows XP shipped with IE6 by default. I assume at the time we were still concerned about lingering XP instances out there. I hope we don't have to worry about that in 2025!! |
mattcaswell
left a comment
mattcaswell
left a comment
There was a problem hiding this comment.
It seems this is worthy of a CHANGES.md entry (and arguably NEWS.md as well)
mattcaswell
left a comment
mattcaswell
left a comment
There was a problem hiding this comment.
Looks good. A few minor comments
InfoHunter
left a comment
InfoHunter
left a comment
There was a problem hiding this comment.
Great to see this. No need to consider IE6.
paulidale
added
approval: done
openssl-machine
removed
the
approval: done
|
This pull request is ready to merge |
openssl-machine
added
the
approval: ready to merge
t8m
left a comment
t8m
left a comment
There was a problem hiding this comment.
As this was not merged in time for 3.6 version, could you please replace all the references to 3.6 with 4.0?
t8m
removed
the
approval: ready to merge
|
This PR is waiting for the creator to make requested changes but it has not been updated for 30 days. If you have made changes or commented to the reviewer please make sure you re-request a review (see icon in the 'reviewers' section). |
|
Thank you for updating it, it looks good. |
mattcaswell
added
the
approval: review pending
esyr
left a comment
esyr
left a comment
There was a problem hiding this comment.
ossl_bytes_to_cipher_list might need an additional refactoring pass to get the unneeded local variable replaced with a constant, and a test for actually failing sslv2 hello is a nice to have, but otherwise LGTM.
Drop support for the SSLv2 Client Hello. We allowed that a client send an SSLv2 compatible Client Hello.
levitte
dismissed stale reviews from tomato42, esyr, and mattcaswell
via
9f7ef92
|
Unfortunately, re-approvals needed |
levitte
added
approval: done
openssl-machine
added
approval: ready to merge
|
This pull request is ready to merge |
Drop support for the SSLv2 Client Hello. We allowed that a client send an SSLv2 compatible Client Hello. Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Alicja Kario <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #28041)
|
It looks like @mattcaswell merged this last Friday, ending up with 09c2bc5 in the master branch. Therefore closing this. |
Drop support for the SSLv2 Client Hello. We allowed that a client send an SSLv2 compatible Client Hello. Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Alicja Kario <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from openssl#28041)
11 participants
Drop support for the SSLv2 Client Hello. We allowed that a client send an SSLv2 compatible Client Hello.
Checklist