Disable SSLv2 default build, default negotiation and weak ciphers.

SSLv2 is by default disabled at build-time. Builds that are not configured with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will need to explicitly call either of: SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or SSL_clear_options(ssl, SSL_OP_NO_SSLv2); as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client or server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available. Mitigation for CVE-2016-0800 Reviewed-by: Emilia Käsper <emilia@openssl.org>
author: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-02-17 21:07:48 -0500
committer: Matt Caswell <matt@openssl.org> 2016-03-01 11:20:10 +0000
commit: 9dfd2be8a1761fffd152a92d8f1b356ad667eea7 (patch)
tree: f29b72c28bb200a7790e3b5de278b6e49c779570 /NEWS
parent: c175308407858afff3fc8c2e5e085d94d12edc7d (diff)
download: openssl-new-9dfd2be8a1761fffd152a92d8f1b356ad667eea7.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index c596993a6f..c728ca6ac1 100644
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,7 @@
 
   Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [under development]
 
-      o
+      o Disable SSLv2 default build, default negotiation and weak ciphers.
 
   Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]
author	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-02-17 21:07:48 -0500
committer	Matt Caswell <matt@openssl.org>	2016-03-01 11:20:10 +0000
commit	9dfd2be8a1761fffd152a92d8f1b356ad667eea7 (patch)
tree	f29b72c28bb200a7790e3b5de278b6e49c779570 /NEWS
parent	c175308407858afff3fc8c2e5e085d94d12edc7d (diff)
download	openssl-new-9dfd2be8a1761fffd152a92d8f1b356ad667eea7.tar.gz