Source: apf
Severity: serious
Hi,
Your package uses this in afserver.c
method = SSLv3_server_method();
And this in afclient.c:
method = SSLv3_client_method();
Please change those to use SSLv23_server_method() and
SSLv23_client_method() instead. The SSLv3_* methods only
supports SSLv3 while the SSLv23_* is the only that supports
multiple versions.
The SSLv3_* methods have now been removed in unstable.
SSLv3 is no longer considered secure and you should stop using it.
SSLv3 support has been disabled in jessie when using the SSLv23_*
methods but you could still create it using the SSLv3_* methods.
This means that if you fix this both sides need to be fixed, else
they won't be able to talk to each other. So I suggest you fix
this in all branches.
Kurt
