diff -up ./src/check_nrpe.c.opensslv110_nossl2 ./src/check_nrpe.c
--- ./src/check_nrpe.c.opensslv110_nossl2 2017-03-23 19:17:30.322349781 -0400
+++ ./src/check_nrpe.c 2017-03-23 19:18:54.296008360 -0400
@@ -65,8 +65,7 @@ int use_ssl = FALSE;
/* SSL/TLS parameters */
typedef enum _SSL_VER {
- SSL_Ver_Invalid = 0, SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus,
- TLSv1, TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus
+ SSL_Ver_Invalid = 0, TLSv1, TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus
} SslVer;
typedef enum _CLNT_CERTS { Ask_For_Cert = 1, Require_Cert = 2 } ClntCerts;
@@ -404,15 +403,7 @@ int process_arguments(int argc, char **a
"overrides the config file option.");
break;
}
- if (!strcmp(optarg, "SSLv2"))
- sslprm.ssl_min_ver = SSLv2;
- else if (!strcmp(optarg, "SSLv2+"))
- sslprm.ssl_min_ver = SSLv2_plus;
- else if (!strcmp(optarg, "SSLv3"))
- sslprm.ssl_min_ver = SSLv3;
- else if (!strcmp(optarg, "SSLv3+"))
- sslprm.ssl_min_ver = SSLv3_plus;
- else if (!strcmp(optarg, "TLSv1"))
+ if (!strcmp(optarg, "TLSv1"))
sslprm.ssl_min_ver = TLSv1;
else if (!strcmp(optarg, "TLSv1+"))
sslprm.ssl_min_ver = TLSv1_plus;
@@ -667,8 +658,7 @@ void usage(int result)
printf(" 2 = Force Anonymous Diffie Hellman\n");
printf(" <size> = Specify non-default payload size for NSClient++\n");
printf
- (" <ssl ver> = The SSL/TLS version to use. Can be any one of: SSLv2 (only),\n");
- printf(" SSLv2+ (or above), SSLv3 (only), SSLv3+ (or above),\n");
+ (" <ssl ver> = The SSL/TLS version to use. Can be any one of: \n");
printf(" TLSv1 (only), TLSv1+ (or above DEFAULT), TLSv1.1 (only),\n");
printf(" TLSv1.1+ (or above), TLSv1.2 (only), TLSv1.2+ (or above)\n");
printf(" <cipherlist> = The list of SSL ciphers to use (currently defaults\n");
@@ -738,18 +728,6 @@ void setup_ssl()
sslprm.allowDH == 0 ? "No" : (sslprm.allowDH == 1 ? "Allow" : "Require"));
syslog(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts);
switch (sslprm.ssl_min_ver) {
- case SSLv2:
- val = "SSLv2";
- break;
- case SSLv2_plus:
- val = "SSLv2 And Above";
- break;
- case SSLv3:
- val = "SSLv3";
- break;
- case SSLv3_plus:
- val = "SSLv3_plus And Above";
- break;
case TLSv1:
val = "TLSv1";
break;
@@ -781,14 +759,6 @@ void setup_ssl()
SSL_library_init();
meth = SSLv23_client_method();
-# ifndef OPENSSL_NO_SSL2
- if (sslprm.ssl_min_ver == SSLv2)
- meth = SSLv2_client_method();
-# endif
-# ifndef OPENSSL_NO_SSL3
- if (sslprm.ssl_min_ver == SSLv3)
- meth = SSLv3_client_method();
-# endif
if (sslprm.ssl_min_ver == TLSv1)
meth = TLSv1_client_method();
# ifdef SSL_TXT_TLSV1_1
@@ -806,9 +776,6 @@ void setup_ssl()
}
switch(sslprm.ssl_min_ver) {
- case SSLv2:
- case SSLv2_plus:
- break;
case TLSv1_2:
case TLSv1_2_plus:
ssl_opts |= SSL_OP_NO_TLSv1_1;
@@ -818,9 +785,6 @@ void setup_ssl()
case TLSv1:
case TLSv1_plus:
ssl_opts |= SSL_OP_NO_SSLv3;
- case SSLv3:
- case SSLv3_plus:
- ssl_opts |= SSL_OP_NO_SSLv2;
break;
}
SSL_CTX_set_options(ctx, ssl_opts);
diff -up ./src/nrpe.c.opensslv110_nossl2 ./src/nrpe.c
--- ./src/nrpe.c.opensslv110_nossl2 2017-03-23 19:17:30.323349765 -0400
+++ ./src/nrpe.c 2017-03-23 19:19:36.959326843 -0400
@@ -109,8 +109,7 @@ int listen_queue_size = DEFAULT_LI
/* SSL/TLS parameters */
typedef enum _SSL_VER {
- SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus, TLSv1,
- TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus
+ TLSv1, TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus
} SslVer;
typedef enum _CLNT_CERTS {
@@ -278,14 +277,6 @@ void init_ssl(void)
}
}
}
-# ifndef OPENSSL_NO_SSL2
- if (sslprm.ssl_min_ver == SSLv2)
- meth = SSLv2_server_method();
-# endif
-# ifndef OPENSSL_NO_SSL3
- if (sslprm.ssl_min_ver == SSLv3)
- meth = SSLv3_server_method();
-# endif
if (sslprm.ssl_min_ver == TLSv1)
meth = TLSv1_server_method();
# ifdef SSL_TXT_TLSV1_1
@@ -305,9 +296,6 @@ void init_ssl(void)
}
switch(sslprm.ssl_min_ver) {
- case SSLv2:
- case SSLv2_plus:
- break;
case TLSv1_2:
case TLSv1_2_plus:
ssl_opts |= SSL_OP_NO_TLSv1_1;
@@ -317,9 +305,6 @@ void init_ssl(void)
case TLSv1:
case TLSv1_plus:
ssl_opts |= SSL_OP_NO_SSLv3;
- case SSLv3:
- case SSLv3_plus:
- ssl_opts |= SSL_OP_NO_SSLv2;
break;
}
SSL_CTX_set_options(ctx, ssl_opts);
@@ -401,18 +386,6 @@ void log_ssl_startup(void)
1 ? "Accept" : "Require"));
syslog(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts);
switch (sslprm.ssl_min_ver) {
- case SSLv2:
- vers = "SSLv2";
- break;
- case SSLv2_plus:
- vers = "SSLv2 And Above";
- break;
- case SSLv3:
- vers = "SSLv3";
- break;
- case SSLv3_plus:
- vers = "SSLv3 And Above";
- break;
case TLSv1:
vers = "TLSv1";
break;
@@ -814,15 +787,7 @@ int read_config_file(char *filename)
}
} else if (!strcmp(varname, "ssl_version")) {
- if (!strcmp(varvalue, "SSLv2"))
- sslprm.ssl_min_ver = SSLv2;
- else if (!strcmp(varvalue, "SSLv2+"))
- sslprm.ssl_min_ver = SSLv2_plus;
- else if (!strcmp(varvalue, "SSLv3"))
- sslprm.ssl_min_ver = SSLv3;
- else if (!strcmp(varvalue, "SSLv3+"))
- sslprm.ssl_min_ver = SSLv3_plus;
- else if (!strcmp(varvalue, "TLSv1"))
+ if (!strcmp(varvalue, "TLSv1"))
sslprm.ssl_min_ver = TLSv1;
else if (!strcmp(varvalue, "TLSv1+"))
sslprm.ssl_min_ver = TLSv1_plus;