On Tue, 03 Nov 2015 20:50:43 +0100, Kurt Roeckx wrote: > You really only ever want to use SSLv23_client_method() since that > is the only one that supports multiple versions. I suggest you > modify your nossl2.patch to just replace all of the above by: > ctx = SSL_CTX_new(SSLv23_client_method()); > > ssl_version would then become an unused variable. > > Just like SSLv2 has already been removed, SSLv3 is now also > removed because it's insecure.
Some findings: - nossl2.patch doesn't exist anymore in git, since it was merged upstream, and we have 0.72 in git but never uploaded due to some packaging glitches (and then the freeze) - 0.72 is the last upstream release and contains this code - upstream has in the meantime changed it in a dev release on the CPAN (0.73_04) [0] and in git [1]: [0] https://metacpan.org/diff/file?target=NANIS%2FCrypt-SSLeay-0.73_04%2F&source=NANIS%2FCrypt-SSLeay-0.72%2F#SSLeay.xs [1] https://github.com/nanis/Crypt-SSLeay/blob/0.73_04/SSLeay.xs At a quick glance this looks good, since there's only SSLv23_client_method() left. What confuses me a bit is - in the .xs file the allow_sslv3 variable - in the .pm file the HTTPS_VERSION environmen variable. Cheers, gregor -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - https://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Leonard Cohen: Amen
signature.asc
Description: Digital Signature
