On Mon, Oct 27, 2014 at 09:07:58PM +0100, Sebastian Andrzej Siewior wrote: > package: ircd-hybrid > version: 1:7.2.2.dfsg.2-10 > tags: security patch > Control: fixed -1 1:8.0.4.dfsg.1-1 > > So I looked how to disable SSLv3 in ircd-hybrid and didn't find > anything. It seems that in the v8 version they disable SSLv2 and SSLv3 > while in the v7 version they only disable SSLv2. > I applied the change at the bottom of this mail to disable SSLv3 in the v7 > version which is currently in Wheezy. > > Giving the fact that one should disable SSLv3 and that this package has > to be manually recompiled in order to enable SSL at all - how are the > chances that an update hits Wheezy? :)
This is a question for the security team, but I'd hope that it would be considered - indeed the same sort of change has been made before in DSAs (for Iceweasel at least, I believe). > diff --git a/src/ircd.c b/src/ircd.c > --- a/src/ircd.c > +++ b/src/ircd.c > @@ -512,7 +512,7 @@ init_ssl(void) > ilog(L_CRIT, "ERROR: Could not initialize the SSL context -- %s\n", s); > } > > - SSL_CTX_set_options(ServerInfo.ctx, SSL_OP_NO_SSLv2); > + SSL_CTX_set_options(ServerInfo.ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); > SSL_CTX_set_options(ServerInfo.ctx, SSL_OP_TLS_ROLLBACK_BUG|SSL_OP_ALL); > SSL_CTX_set_verify(ServerInfo.ctx, SSL_VERIFY_NONE, NULL); > > -- > 1.7.10.4 Thanks, Dominic. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
