The OpenSSL Library no longer includes SSLv3
Previous posts about the upcoming OpenSSL 4.0 release:
- removing ENGINE code
- removing deprecated functions for creating or modifying custom METHODS
- no longer registering a function via atexit function
- adding ECH support
Summary
Secure Sockets Layer version 3.0 (SSLv3) was deprecated in RFC 7568. SSLv3 was disabled at build-time in OpenSSL 1.0.2h by default. As of OpenSSL 4.0, SSLv3 support has been removed altogether.
In addition, OpenSSL no longer supports the SSLv2 Client Hello.
Applications that currently use SSLv3 or the SSLv2 Client Hello should be updated to a supported version of the Transport Layer Security (TLS) protocol. As of this writing, that includes TLS 1.2 and TLS 1.3.
Background
OpenSSL supported both SSLv2 and SSLv3 from its inception in December 1998. (SSL version 1.0 was never published.) TLS version 1.0 was published in January of 1999 and OpenSSL began supporting the new TLSv1 ciphers in March.
In order to maintain backward compatibility during the transition from SSLv2 to SSLv3, clients could send an SSLv2 Client Hello. If the server supported SSLv3, it could reply with an SSLv3 Server Hello and initiate a connection with the newer protocol. (For more details, see “E.2. Compatibility with SSL 2.0” in RFC 2246.) Despite warnings that this backward compatibility would be phased out, the RFCs through TLS 1.2 allowed for SSLv2 Client Hello messages.
The wording of the RFCs is interesting. In 1996 SSLv3 had this warning:
Warning: The ability to send version 2.0 client hello messages will be phased out with all due haste. Implementers should make every effort to move forward as quickly as possible. Version 3.0 provides better mechanisms for transitioning to newer versions.
TLS 1.0 (1999), TLS 1.1 (2006), and TLS 1.2 (2008) have similar warnings. Finally in 2018, TLS 1.3 changed the wording:
Implementations MUST NOT send an SSL version 2.0 compatible CLIENT-HELLO. Implementations MUST NOT negotiate TLS 1.3 or later using an SSL version 2.0 compatible CLIENT-HELLO. Implementations are NOT RECOMMENDED to accept an SSL version 2.0 compatible CLIENT-HELLO in order to negotiate older versions of TLS.
Some clients (notably Internet Explorer 6 on Windows XP and Java 6 clients) sent the SSLv2 Client Hello by default even after SSLv2 servers were virtually extinct. Even if they did connect with a server that still supported SSLv2, these clients likely did not themselves support SSLv2.
SSLv2 and the weak ciphers from SSLv3 were disabled by default in 2016 in response to CVE-2016-0800. (For more details on that vulnerability, see An OpenSSL user’s guide to DROWN.) Unless an application was built with a custom build of the OpenSSL Library with those protocols enabled, they could no longer connect to SSLv2 or SSLv3.
With very few extant systems that support SSLv3 and the SSLv2 Client Hello, it’s time for the code to be removed. PR #29338 removes SSLv3 code from the OpenSSL Library and #28041 removes support for the SSLv2 Client Hello. It’s unlikely many people will notice these changes when upgrading to OpenSSL 4.0 since these features have been obsolete for many years. If you are using a legacy system that requires SSLv3, this is an excellent opportunity to replace that system.
A bit of trivia: OpenSSL 4.0 will be the first release of the OpenSSL Library that does not have SSL. (Of course, OpenSSL continues to support TLS, which is the successor to SSL.)