[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8904) Cannot enable SSL3 when disabled by default in OpenSSL

Full_Name: Matus Honek
Version: 2.4.46
OS: Fedora 28
URL: ftp://ftp.openldap.org/incoming/Matus-Honek-180821.patch
Submission from: (NULL) (

When in OpenSSL one disables SSL3 by default (the SSL_OP_NO_SSLv3 is set by
default, like in recent Fedora distributions) then with the current code in
OpenLDAP it is not possible to have it re-enabled using TLS_PROTOCOL_MIN
configuration option.

The attached patch explicitly clears the SSL_OP_NO_SSLv3 option when
TLS_PROTOCOL_MIN is set so that SSL3 should be enabled. Feel free to use it; I
believe IPR should not be necessary for a one liner.

However, in the future when more protocols will be disabled by default (possibly
soon for TLS1.0 and TLS1.1), similar fixes will be needed for those as well. Or,
it may be decided to not support the protocols that are disabled by default but
in that case probably a log message should be issued once user tries to enable a
by default disabled protocol.