Weird SSLv2 problem

[qharlie]

I'm on ubuntu 10.04 with libssl-dev and libcrypto installed, compiling node from head I kept getting

../src/node_crypto.cc: In static member function ‘static v8::Handlev8::Value node::crypto::SecureContext::Init(const v8::Arguments&)’:
../src/node_crypto.cc:102: error: ‘SSLv2_method’ was not declared in this scope
../src/node_crypto.cc:104: error: ‘SSLv2_server_method’ was not declared in this scope
../src/node_crypto.cc:106: error: ‘SSLv2_client_method’ was not declared in this scope

Looking in ssl.h I see they have a conditional

ifndef OPENSSL_NO_SSL2

I wrapped the parts in node_crypto.cc to look like this

ifndef OPENSSL_NO_SSL2

if (strcmp(*sslmethod, "SSLv2_method") == 0) {
  method = SSLv2_method();
} else if (strcmp(*sslmethod, "SSLv2_server_method") == 0) {
  method = SSLv2_server_method();
} else if (strcmp(*sslmethod, "SSLv2_client_method") == 0) {
  method = SSLv2_client_method();
} 

endif

And the problem went away.

[kapouer]

I had the same issue here : openssl 1.0.0 allows to disable easily v2 methods, which are considered not so secure.
This patch adds a --no-ssl2 switch to wscript and throw a more explicit error when those methods are used within node :
https://gist.github.com/912440

[mscdex]

+1 for this patch

[ixti]

It would be nice if this will be fixed at least on next release...

[isaacs]

29da0ae0edc14e0482403de8d3305e01e1c52c9f seems like the best approach to me. @ry, what do you think?

[guybrush]

nice!

this can be closed too: #676

[MoarDm]

For newbies:

• download and extract into node sources directory no_ssl_v2.patch
• apply patch with command: git apply no_ssl_v2.patch