Hi Bernard, Current versions of LibreSSL's libssl only disable SSLv3 by default. Support still exists, and programs can still enable it if they choose. For example, you will get an error if you do not explicitly specify -ssl3 as an option to openssl(1).
In case there is confusion, libtls, which is not packaged with the portable version yet, does disable SSLv3 entirely with no option to enable. But, libssl still allows it optionally. - Brent On Tue, Nov 25, 2014 at 5:28 AM, Bernard Spil <bern...@bachfreund.nl> wrote: > Hi, > > Running LibreSSL portable 2.1.1 from FreeBSD ports on FreeBSD 10.1 > $ /usr/local/bin/openssl version > LibreSSL 2.1 > $ uname -a > FreeBSD meterkast3.example.org 10.1-RELEASE FreeBSD 10.1-RELEASE #0 > r264324M: Tue Nov 11 13:46:58 CET 2014 > r...@meterkast3.example.org:/usr/obj/usr/src/sys/BEASTIE101 amd64 > > To my surprise, the LibreSSL openssl binary does not see the -sslv3 option > as an error. (examples and captures with google.com server) > $ /usr/local/bin/openssl s_client -connect 173.194.65.147:443 -ssl3 > CONNECTED(00000003) > where I would expect the same behaviour as e.g. openssl 0.9.8 when calling > it with the -tls1_2 option. > > Next to that I see that it succefully negotiates a connection using an > ssl3-capable server. > Client Hello and Server Hello both have 0x0300 as can be seen in attached > capture and at end of this mail. > > Is this expected behaviour? I.e. has LibreSSL only removed the sslv3 server > capability? > > When I setup an SSL server with OpenSSL 1.0.1j from base, I can not connect > to it straight away but I can connect when I use -ssl3 (both in log below) > $ openssl version > OpenSSL 1.0.1j-freebsd 15 Oct 2014 > $ openssl s_server -ssl3 -accept 4443 > Using default temp DH parameters > Using default temp ECDH parameters > ACCEPT > ERROR > shutting down SSL > CONNECTION CLOSED > ACCEPT > -----BEGIN SSL SESSION PARAMETERS----- > <snip> > -----END SSL SESSION PARAMETERS----- > <snip>CIPHER is ECDHE-RSA-AES256-SHA > Secure Renegotiation IS supported > DONE > shutting down SSL > CONNECTION CLOSED > ACCEPT > > $ /usr/local/bin/openssl s_client -connect localhost:4443 > CONNECTED(00000003) > 34378806536:error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported > protocol:s23_clnt.c:497: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 280 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > --- > $ /usr/local/bin/openssl s_client -connect localhost:4443 -ssl3 > <snip> > --- > SSL handshake has read 1524 bytes and written 262 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : SSLv3 > Cipher : ECDHE-RSA-AES256-SHA > Session-ID: > 468B5F3CE1CF1CDA9F49312EE9424BD985B22FC1A9EA92692C9C6EB818F0C725 > Session-ID-ctx: > Master-Key: > 78D830C15F518C6FC9C5D9760B8B3F09D58F516944E72C9F2A89D3B3E6DD6D78189B1B0A702D4FBB8CDDEBF83B19A433 > Start Time: 1416914867 > Timeout : 7200 (sec) > Verify return code: 21 (unable to verify the first certificate) > --- > > Thanks! > Bernard (Barnerd) Spil. > > depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA > verify error:num=20:unable to get local issuer certificate > verify return:0 > --- > Certificate chain > 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com > i:/C=US/O=Google Inc/CN=Google Internet Authority G2 > 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 > i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority > --- > Server certificate > -----BEGIN CERTIFICATE----- > <snip> > -----END CERTIFICATE----- > subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com > issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 > --- > No client certificate CA names sent > --- > SSL handshake has read 3578 bytes and written 258 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : SSLv3 > Cipher : ECDHE-RSA-RC4-SHA > Session-ID: > D807A5102140A0D0F5DF4562E961C485F7C0D506572FF7852D61207576F3C5A5 > Session-ID-ctx: > Master-Key: > 175DDE1E866E41DC8F9D64779B0BBB5F4AA663F2DBF1EB1C312036CFE9E580997653A73CB6C7AEB2310B6D5793F13C55 > Start Time: 1416913094 > Timeout : 7200 (sec) > Verify return code: 20 (unable to get local issuer certificate) > --- > > >
