Remove SSLv2 support

The only support for SSLv2 left is receiving a SSLv2 compatible client hello.

Reviewed-by: Richard Levitte <[email protected]>

Configure

@@ -847,7 +847,6 @@ PROCESS_ARGS:
 				{
 				if ($1 eq "ssl")
 					{
-					$disabled{"ssl2"} = "option(ssl)";
 					$disabled{"ssl3"} = "option(ssl)";
 					}
 				elsif ($1 eq "tls")
@@ -1062,12 +1061,6 @@ if (defined($disabled{"ec"}))
 	$disabled{"ecdh"} = "forced";
 	}
 
-# SSL 2.0 requires MD5 and RSA
-if (defined($disabled{"md5"}) || defined($disabled{"rsa"}))
-	{
-	$disabled{"ssl2"} = "forced";
-	}
-
 # SSL 3.0 and TLS requires MD5 and SHA and either RSA or DSA+DH
 if (defined($disabled{"md5"}) || defined($disabled{"sha"})
     || (defined($disabled{"rsa"})

INSTALL.VMS

@@ -134,7 +134,7 @@ Currently, the logical names supported are:
                         will not be implemented.  Supported algorithms to
                         do this with are: RSA, DSA, DH, MD2, MD4, MD5, RIPEMD,
                         SHA, DES, MDC2, CR2, RC4, RC5, IDEA, BF, CAST, HMAC,
-                        SSL2.  So, for example, having the logical name
+                        SSL3.  So, for example, having the logical name
                         OPENSSL_NO_RSA with the value YES means that the
                         LIBCRYPTO.OLB library will not contain an RSA
                         implementation.

Netware/do_tests.pl

@@ -270,22 +270,6 @@ sub ssl_tests
    print( OUT "\n========================================================\n");
    print( OUT "SSL TESTS:\n\n");
 
-   system("ssltest -ssl2 (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2:");
-   log_output("ssltest -ssl2", $outFile);
-
-   system("$ssltest -ssl2 -server_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2 with server authentication:");
-   log_output("$ssltest -ssl2 -server_auth", $outFile);
-
-   system("$ssltest -ssl2 -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2 with client authentication:");
-   log_output("$ssltest -ssl2 -client_auth", $outFile);
-
-   system("$ssltest -ssl2 -server_auth -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2 with both client and server authentication:");
-   log_output("$ssltest -ssl2 -server_auth -client_auth", $outFile);
-
    system("ssltest -ssl3 (CLIB_OPT)/>$outFile");
    log_desc("Testing sslv3:");
    log_output("ssltest -ssl3", $outFile);
@@ -318,26 +302,10 @@ sub ssl_tests
    log_desc("Testing sslv2/sslv3 with both client and server authentication:");
    log_output("$ssltest -server_auth -client_auth", $outFile);
 
-   system("ssltest -bio_pair -ssl2 (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2 via BIO pair:");
-   log_output("ssltest -bio_pair -ssl2", $outFile);
-
    system("ssltest -bio_pair -dhe1024dsa -v (CLIB_OPT)/>$outFile");
    log_desc("Testing sslv2/sslv3 with 1024 bit DHE via BIO pair:");
    log_output("ssltest -bio_pair -dhe1024dsa -v", $outFile);
 
-   system("$ssltest -bio_pair -ssl2 -server_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2 with server authentication via BIO pair:");
-   log_output("$ssltest -bio_pair -ssl2 -server_auth", $outFile);
-
-   system("$ssltest -bio_pair -ssl2 -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2 with client authentication via BIO pair:");
-   log_output("$ssltest -bio_pair -ssl2 -client_auth", $outFile);
-
-   system("$ssltest -bio_pair -ssl2 -server_auth -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2 with both client and server authentication via BIO pair:");
-   log_output("$ssltest -bio_pair -ssl2 -server_auth -client_auth", $outFile);
-
    system("ssltest -bio_pair -ssl3 (CLIB_OPT)/>$outFile");
    log_desc("Testing sslv3 via BIO pair:");
    log_output("ssltest -bio_pair -ssl3", $outFile);

apps/ciphers.c

@@ -73,7 +73,6 @@ static const char *ciphers_usage[]={
 "usage: ciphers args\n",
 " -v          - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
 " -V          - even more verbose\n",
-" -ssl2       - SSL2 mode\n",
 " -ssl3       - SSL3 mode\n",
 " -tls1       - TLS1 mode\n",
 NULL
@@ -130,10 +129,6 @@ int MAIN(int argc, char **argv)
 		else if (strcmp(*argv,"-stdname") == 0)
 			stdname=verbose=1;
 #endif
-#ifndef OPENSSL_NO_SSL2
-		else if (strcmp(*argv,"-ssl2") == 0)
-			meth=SSLv2_client_method();
-#endif
 #ifndef OPENSSL_NO_SSL3
 		else if (strcmp(*argv,"-ssl3") == 0)
 			meth=SSLv3_client_method();
@@ -210,9 +205,7 @@ int MAIN(int argc, char **argv)
 				int id2 = (int)((id >> 8) & 0xffL);
 				int id3 = (int)(id & 0xffL);
 
-				if ((id & 0xff000000L) == 0x02000000L)
-					BIO_printf(STDout, "     0x%02X,0x%02X,0x%02X - ", id1, id2, id3); /* SSL2 cipher */
-				else if ((id & 0xff000000L) == 0x03000000L)
+				if ((id & 0xff000000L) == 0x03000000L)
 					BIO_printf(STDout, "          0x%02X,0x%02X - ", id2, id3); /* SSL3 cipher */
 				else
 					BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */

apps/s_cb.c

@@ -621,8 +621,6 @@ static const char *ssl_version_str(int version)
 	{
 	switch (version)
 		{
-	case SSL2_VERSION:
-		return "SSL 2.0";
 	case SSL3_VERSION:
 		return "SSL 3.0";
 	case TLS1_VERSION:
@@ -649,67 +647,6 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
 
 	str_version = ssl_version_str(version);
 
-	if (version == SSL2_VERSION)
-		{
-		str_details1 = "???";
-
-		if (len > 0)
-			{
-			switch (((const unsigned char*)buf)[0])
-				{
-				case 0:
-					str_details1 = ", ERROR:";
-					str_details2 = " ???";
-					if (len >= 3)
-						{
-						unsigned err = (((const unsigned char*)buf)[1]<<8) + ((const unsigned char*)buf)[2];
-
-						switch (err)
-							{
-						case 0x0001:
-							str_details2 = " NO-CIPHER-ERROR";
-							break;
-						case 0x0002:
-							str_details2 = " NO-CERTIFICATE-ERROR";
-							break;
-						case 0x0004:
-							str_details2 = " BAD-CERTIFICATE-ERROR";
-							break;
-						case 0x0006:
-							str_details2 = " UNSUPPORTED-CERTIFICATE-TYPE-ERROR";
-							break;
-							}
-						}
-
-					break;
-				case 1:
-					str_details1 = ", CLIENT-HELLO";
-					break;
-				case 2:
-					str_details1 = ", CLIENT-MASTER-KEY";
-					break;
-				case 3:
-					str_details1 = ", CLIENT-FINISHED";
-					break;
-				case 4:
-					str_details1 = ", SERVER-HELLO";
-					break;
-				case 5:
-					str_details1 = ", SERVER-VERIFY";
-					break;
-				case 6:
-					str_details1 = ", SERVER-FINISHED";
-					break;
-				case 7:
-					str_details1 = ", REQUEST-CERTIFICATE";
-					break;
-				case 8:
-					str_details1 = ", CLIENT-CERTIFICATE";
-					break;
-				}
-			}
-		}
-
 	if (version == SSL3_VERSION ||
 	    version == TLS1_VERSION ||
 	    version == TLS1_1_VERSION ||
@@ -1829,11 +1766,6 @@ static int security_callback_debug(SSL *s, SSL_CTX *ctx,
 	case SSL_SECOP_CURVE_CHECK:
 		nm = "Check Curve";
 		break;
-	case SSL_SECOP_SSL2_COMPAT:
-		BIO_puts(sdb->out, "SSLv2 compatible");
-		show_bits = 0;
-		nm = NULL;
-		break;
 	case SSL_SECOP_VERSION:
 		BIO_printf(sdb->out, "Version=%s", ssl_version_str(nid));
 		show_bits = 0;

apps/s_client.c

@@ -335,7 +335,6 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
 	BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
 #endif
-	BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
 #ifndef OPENSSL_NO_SSL3_METHOD
 	BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
 #endif
@@ -345,9 +344,8 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
 	BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
 	BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
-	BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
+	BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3 - turn off that protocol\n");
 	BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
-	BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
 	BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
 	BIO_printf(bio_err,"                 command to see what is available\n");
 	BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
@@ -912,10 +910,6 @@ static char *jpake_secret = NULL;
 			meth=TLSv1_client_method();
 			}
 #endif
-#ifndef OPENSSL_NO_SSL2
-		else if	(strcmp(*argv,"-ssl2") == 0)
-			meth=SSLv2_client_method();
-#endif
 #ifndef OPENSSL_NO_SSL3_METHOD
 		else if	(strcmp(*argv,"-ssl3") == 0)
 			meth=SSLv3_client_method();
@@ -2198,14 +2192,12 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240
 static void print_stuff(BIO *bio, SSL *s, int full)
 	{
 	X509 *peer=NULL;
-	char *p;
-	static const char *space="                ";
 	char buf[BUFSIZ];
 	STACK_OF(X509) *sk;
 	STACK_OF(X509_NAME) *sk2;
 	const SSL_CIPHER *c;
 	X509_NAME *xn;
-	int j,i;
+	int i;
 #ifndef OPENSSL_NO_COMP
 	const COMP_METHOD *comp, *expansion;
 #endif
@@ -2267,34 +2259,6 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 			{
 			BIO_printf(bio,"---\nNo client certificate CA names sent\n");
 			}
-		p=SSL_get_shared_ciphers(s,buf,sizeof buf);
-		if (p != NULL)
-			{
-			/* This works only for SSL 2.  In later protocol
-			 * versions, the client does not know what other
-			 * ciphers (in addition to the one to be used
-			 * in the current connection) the server supports. */
-
-			BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
-			j=i=0;
-			while (*p)
-				{
-				if (*p == ':')
-					{
-					BIO_write(bio,space,15-j%25);
-					i++;
-					j=0;
-					BIO_write(bio,((i%3)?" ":"\n"),1);
-					}
-				else
-					{
-					BIO_write(bio,p,1);
-					j++;
-					}
-				p++;
-				}
-			BIO_write(bio,"\n",1);
-			}
 
 		ssl_print_sigalgs(bio, s);
 		ssl_print_tmp_key(bio, s);

apps/s_server.c

@@ -508,7 +508,6 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -srpvfile file      - The verifier file for SRP\n");
 	BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n");
 #endif
-	BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");
 #ifndef OPENSSL_NO_SSL3_METHOD
 	BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");
 #endif
@@ -520,7 +519,6 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -timeout      - Enable timeouts\n");
 	BIO_printf(bio_err," -mtu          - Set link layer MTU\n");
 	BIO_printf(bio_err," -chain        - Read a certificate chain\n");
-	BIO_printf(bio_err," -no_ssl2      - Just disable SSLv2\n");
 	BIO_printf(bio_err," -no_ssl3      - Just disable SSLv3\n");
 	BIO_printf(bio_err," -no_tls1      - Just disable TLSv1\n");
 	BIO_printf(bio_err," -no_tls1_1    - Just disable TLSv1.1\n");
@@ -1406,13 +1404,6 @@ int MAIN(int argc, char *argv[])
 			{ www=2; }
 		else if	(strcmp(*argv,"-HTTP") == 0)
 			{ www=3; }
-#ifndef OPENSSL_NO_SSL2
-		else if	(strcmp(*argv,"-ssl2") == 0)
-			{
-			no_ecdhe=1;
-			meth=SSLv2_server_method();
-			}
-#endif
 #ifndef OPENSSL_NO_SSL3_METHOD
 		else if	(strcmp(*argv,"-ssl3") == 0)
 			{ meth=SSLv3_server_method(); }
@@ -1768,9 +1759,6 @@ int MAIN(int argc, char *argv[])
 		if(strlen(session_id_prefix) >= 32)
 			BIO_printf(bio_err,
 "warning: id_prefix is too long, only one new session will be possible\n");
-		else if(strlen(session_id_prefix) >= 16)
-			BIO_printf(bio_err,
-"warning: id_prefix is too long if you use SSLv2\n");
 		if(!SSL_CTX_set_generate_session_id(ctx, generate_session_id))
 			{
 			BIO_printf(bio_err,"error setting 'id_prefix'\n");
@@ -1855,9 +1843,6 @@ int MAIN(int argc, char *argv[])
 			if(strlen(session_id_prefix) >= 32)
 				BIO_printf(bio_err,
 					"warning: id_prefix is too long, only one new session will be possible\n");
-			else if(strlen(session_id_prefix) >= 16)
-				BIO_printf(bio_err,
-					"warning: id_prefix is too long if you use SSLv2\n");
 			if(!SSL_CTX_set_generate_session_id(ctx2, generate_session_id))
 				{
 				BIO_printf(bio_err,"error setting 'id_prefix'\n");

apps/s_time.c

@@ -186,7 +186,6 @@ static void s_time_usage(void)
 	printf("-connect host:port - host:port to connect to (default is %s)\n",SSL_CONNECT_NAME);
 #ifdef FIONBIO
 	printf("-nbio         - Run with non-blocking IO\n");
-	printf("-ssl2         - Just use SSLv2\n");
 	printf("-ssl3         - Just use SSLv3\n");
 	printf("-bugs         - Turn on SSL bug compatibility\n");
 	printf("-new          - Just time new connections\n");
@@ -282,10 +281,6 @@ static int parseArgs(int argc, char **argv)
 		}
 	else if(strcmp(*argv,"-bugs") == 0)
 	    st_bugs=1;
-#ifndef OPENSSL_NO_SSL2
-	else if(strcmp(*argv,"-ssl2") == 0)
-	    s_time_meth=SSLv2_client_method();
-#endif
 #ifndef OPENSSL_NO_SSL3
 	else if(strcmp(*argv,"-ssl3") == 0)
 	    s_time_meth=SSLv3_client_method();
@@ -430,8 +425,6 @@ int MAIN(int argc, char **argv)
 				ver='t';
 			else if (ver == SSL3_VERSION)
 				ver='3';
-			else if (ver == SSL2_VERSION)
-				ver='2';
 			else
 				ver='*';
 			}
@@ -523,8 +516,6 @@ int MAIN(int argc, char **argv)
 				ver='t';
 			else if (ver == SSL3_VERSION)
 				ver='3';
-			else if (ver == SSL2_VERSION)
-				ver='2';
 			else
 				ver='*';
 			}

crypto/err/openssl.ec

@@ -51,7 +51,6 @@ F RSAREF_F_RSA_PRIVATE_DECRYPT
 F RSAREF_F_RSA_PRIVATE_ENCRYPT
 F RSAREF_F_RSA_PUBLIC_DECRYPT
 F RSAREF_F_RSA_PUBLIC_ENCRYPT
-#F SSL_F_CLIENT_CERTIFICATE
 
 R SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE		1010
 R SSL_R_SSLV3_ALERT_BAD_RECORD_MAC		1020

crypto/evp/c_alld.c

@@ -69,7 +69,6 @@ void OpenSSL_add_all_digests(void)
 #endif
 #ifndef OPENSSL_NO_MD5
 	EVP_add_digest(EVP_md5());
-	EVP_add_digest_alias(SN_md5,"ssl2-md5");
 	EVP_add_digest_alias(SN_md5,"ssl3-md5");
 #endif
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0)

crypto/threads/mttest.c

@@ -217,8 +217,6 @@ int main(int argc, char *argv[])
 			cache_stats=1;
 		else if	(strcmp(*argv,"-ssl3") == 0)
 			ssl_method=SSLv3_method();
-		else if	(strcmp(*argv,"-ssl2") == 0)
-			ssl_method=SSLv2_method();
 		else if	(strcmp(*argv,"-CApath") == 0)
 			{
 			if (--argc < 1) goto bad;