OpenSSL 3.0: how to enable SSLv3_method (compatibility with legacy system) #21416
-
I need to enable SSLv3_method building OpenSSL c++ in windows in Visual Studio. I open The VS2015 Native command prompt and I configure project with
|
Beta Was this translation helpful? Give feedback.
Replies: 14 comments 1 reply
-
Remove the |
Beta Was this translation helpful? Give feedback.
-
I did it but doesn't work. I build the code, but wireshark capture is "sslv3 record layer: alert handshake failure" |
Beta Was this translation helpful? Give feedback.
-
Which version of OpenSSL are you using? Are you trying to do this as a client or as a server? |
Beta Was this translation helpful? Give feedback.
-
I'm using OpenSSL 3.0 LTS (de90e54) built for win64 using VS2015. Previous version was 1.0.2u and with that version the connection works.
the context was created with
I'm forced to use SSLv3_method in order to be compatible with legacy version of one of our old software. My application is the client. |
Beta Was this translation helpful? Give feedback.
-
You need to set the security level to 0. SSLv3 will not work at the default security level. Call I would also recommend that you change |
Beta Was this translation helpful? Give feedback.
-
I tried with TLS_method() and it negotiates the SSLv3, but SSLv3 still not work also calling the error is the same as before. |
Beta Was this translation helpful? Give feedback.
-
After the connection fails please try printing out any errors on the OpenSSL error stack, e.g.
Post any errors you see here. |
Beta Was this translation helpful? Give feedback.
-
the connection still fail but errs.log is empty. Am I wrong something? |
Beta Was this translation helpful? Give feedback.
-
I've the following error error:00000002:lib(0)::reason(2) using the |
Beta Was this translation helpful? Give feedback.
-
You shouldn't need to call Please add Are you using a blocking or non-blocking socket? |
Beta Was this translation helpful? Give feedback.
-
This is the output
Socket is not blocking. |
Beta Was this translation helpful? Give feedback.
-
Does it continue to report the same value for all iterations of your loop? When working with non-blocking sockets you need to use SSL_get_error() to determine what action to take in the event of an IO operation failing. See the man page here: https://www.openssl.org/docs/man3.0/man3/SSL_get_error.html A value of 2 corresponds to SSL_ERROR_WANT_READ, which is described on the man page as:
In other words, SSL_ERROR_WANT_READ, is not a permanent error - it just means the peer (i.e. the server in this case) hasn't sent us enough data yet. You should check the underlying socket for readability and call SSL_connect() again when it is readable. |
Beta Was this translation helpful? Give feedback.
-
Sniffing a wireshark capture I just receive from server an handshake error. The same code using openssl v1.0.2u properly works. So, something is changed in sslv3 method? |
Beta Was this translation helpful? Give feedback.
-
You definitely need to set the SECLEVEL=0. The ciphers in the default configuration were also changed in 3.0. Maybe you also need to set some legacy weak ciphersuites to be able to communicate with the server? |
Beta Was this translation helpful? Give feedback.
You definitely need to set the SECLEVEL=0. The ciphers in the default configuration were also changed in 3.0.
Maybe you also need to set some legacy weak ciphersuites to be able to communicate with the server?