Source: dnsval
Version: 2.0-2
Severity: serious
Hi,
Version 2.0 has this line in dane_check.c:
const SSL_METHOD *meth = SSLv3_client_method();
On the other hand, the 2.1 version has:
const SSL_METHOD *meth = SSLv23_client_method();
(It also explicitly disables SSLv2 and SSLv3, but that doesn't
have any effect in Debian since jessie.)
Please change the 2.0 to use SSLv23_client_method() that actually
support multiple versions. The SSLv3_client_method only talks
SSLv3.
Also please consider backporting to stable, you really don't want
to use SSLv3.
Kurt
