SSLv2 removal

2025-10-24 20:41:03 +02:00 · 2015-01-10 09:06:30 +00:00 · 2015-01-10 09:06:30 +00:00 · 2b356c2f16
commit 2b356c2f16
parent 5cd0d33c31
7 changed files with 10 additions and 13 deletions
--- a/4
+++ b/4
@ -463,9 +463,9 @@ Version 2.6.1.1 'Harding Grim':
 			= In REST API timestamp, we are now using
 				the expiration time (Issue 31).
 		* Configurable cipher suite in the TURN server.
-		* SSL3 support.
+		* SSLv3 support.
 		* TLS 1.1 and 1.2 support.
-		* SSL2 "encapsulation" mode support.
+		* SSLv2 "encapsulation" mode support.
 		* NULL OpenSSL cipher is allowed to be negotiated between
 			server and client.
 		* -U option (NULL cipher) added to the test client.
--- a/README.turnserver
+++ b/README.turnserver
@ -191,8 +191,6 @@ Flags:

 --dh2066		Use 2066 bits predefined DH TLS key. Default size of the key is 1066.

--no-sslv2		Do not allow SSLv2 protocol.
-
 --no-sslv3		Do not allow SSLv3 protocol.

 --no-tlsv1		Do not allow TLSv1/DTLSv1 protocol.
--- a/examples/etc/turnserver.conf
+++ b/examples/etc/turnserver.conf
@ -625,7 +625,6 @@

 # Do not allow an SSL/TLS/DTLS version of protocol
 #
-#no-sslv2
 #no-sslv3
 #no-tlsv1
 #no-tlsv1_1
--- a/man/man1/turnserver.1
+++ b/man/man1/turnserver.1
@ -282,10 +282,6 @@ Use 566 bits predefined DH TLS key. Default size of the key is 1066.
 Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
 .TP
 .B
-\fB\-\-no\-sslv2\fP
-Do not allow SSLv2 protocol.
-.TP
-.B
 \fB\-\-no\-sslv3\fP
 Do not allow SSLv3 protocol.
 .TP
--- a/src/apps/relay/mainrelay.c
+++ b/src/apps/relay/mainrelay.c
@ -81,7 +81,8 @@ NULL,

 DH_1066, "", "", "",
 "turn_server_cert.pem","turn_server_pkey.pem", "", "",
-0,0,0,0,0,
+1,
+0,0,0,0,
 #if !TLS_SUPPORTED
 1,
 #else
@ -518,7 +519,6 @@ static char Usage[] = "Usage: turnserver [options]\n"
 " --dh2066					Use 2066 bits predefined DH TLS key. Default size of the predefined key is 1066.\n"
 " --dh-file	<dh-file-name>			Use custom DH TLS key, stored in PEM format in the file.\n"
 "						Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.\n"
-" --no-sslv2					Do not allow SSLv2 protocol.\n"
 " --no-sslv3					Do not allow SSLv3 protocol.\n"
 " --no-tlsv1					Do not allow TLSv1/DTLSv1 protocol.\n"
 " --no-tlsv1_1					Do not allow TLSv1.1 protocol.\n"
@ -908,7 +908,7 @@ static void set_option(int c, char *value)
 	  turn_params.oauth = get_bool_value(value);
 	  break;
  case NO_SSLV2_OPT:
-	  turn_params.no_sslv2 = get_bool_value(value);
+    //deprecated
 	  break;
  case NO_SSLV3_OPT:
 	  turn_params.no_sslv3 = get_bool_value(value);
@ -2531,9 +2531,11 @@ static void set_ctx(SSL_CTX* ctx, const char *protocol)
 	{
 		int op = 0;

+#if !defined(OPENSSL_NO_SSL2)
 #if defined(SSL_OP_NO_SSLv2)
 		if(turn_params.no_sslv2)
 			op |= SSL_OP_NO_SSLv2;
+#endif
 #endif
 		if(turn_params.no_sslv3)
 			op |= SSL_OP_NO_SSLv3;
--- a/src/apps/uclient/mainuclient.c
+++ b/src/apps/uclient/mainuclient.c
@ -496,7 +496,7 @@ int main(int argc, char **argv)
 		SSL_load_error_strings();
 		OpenSSL_add_ssl_algorithms();

-		const char *csuite = "ALL:SSLv2"; //"AES256-SHA" "DH"
+		const char *csuite = "ALL"; //"AES256-SHA" "DH"
 		if(use_null_cipher)
 			csuite = "eNULL";
 		else if(cipher_suite[0])
--- a/src/apps/uclient/uclient.h
+++ b/src/apps/uclient/uclient.h
@ -36,6 +36,8 @@
 #include "session.h"

 #include <openssl/ssl.h>
+#include <openssl/dh.h>
+#include <openssl/bn.h>

 #ifdef __cplusplus
 extern "C" {