Bug#805112: zorp: FTBFS: SSLv3 method removed

Sat, 14 Nov 2015 12:54:41 -0800 

Source: zorp
Version: 3.9.5-7
Severity: serious
Control: block 797926 by -1

Hi,

The SSLv3 methods in the openssl package have been removed and as
a result your package can't be build anymore.

The code looks like:
  if (strcmp(self->ssl_opts.ssl_method[side]->str, "SSLv23") == 0)
    {
      if (side == EP_CLIENT)
        ctx = SSL_CTX_new(SSLv23_server_method());
      else
        ctx = SSL_CTX_new(SSLv23_client_method());
    }
#ifndef OPENSSL_NO_SSL2
  else if (strcmp(self->ssl_opts.ssl_method[side]->str, "SSLv2") == 0)
    {
      if (side == EP_CLIENT)
        ctx = SSL_CTX_new(SSLv2_server_method());
      else
        ctx = SSL_CTX_new(SSLv2_client_method());
    }
#endif
  else if (strcmp(self->ssl_opts.ssl_method[side]->str, "SSLv3") == 0)
    {
      if (side == EP_CLIENT)
        ctx = SSL_CTX_new(SSLv3_server_method());
      else
        ctx = SSL_CTX_new(SSLv3_client_method());
    }
  else if (strcmp(self->ssl_opts.ssl_method[side]->str, "TLSv1") == 0)
    {
      if (side == EP_CLIENT)
        ctx = SSL_CTX_new(TLSv1_server_method());
      else
        ctx = SSL_CTX_new(TLSv1_client_method());
    }
  else
    {
      z_proxy_log(self, CORE_POLICY, 1, "Bad SSL method; method='%s', 
side='%s'",
                  self->ssl_opts.ssl_method[side]->str, EP_STR(side));
      z_proxy_return(self, FALSE);
    }


And the documentation like:
      <enum maturity="stable" id="enum.ssl.method">
        <description>
          Constants for SSL/TLS protocol selection
        </description>
        <item maturity="obsolete">
          <name>SSL_METHOD_SSLV23</name>
          <description>
           Permit the use of SSLv2 and v3.
          </description>
        </item>
        <item>
          <name>SSL_METHOD_SSLV2</name>
          <description>
           Permit the use of SSLv2 exclusively.
          </description>
        </item>
        <item>
          <name>SSL_METHOD_SSLV3</name>
          <description>
                Permit the use of SSLv3 exclusively.
          </description>
        </item>
        <item>
          <name>SSL_METHOD_TLSV1</name>
          <description>
                Permit the use of TLSv1 exclusively.
          </description>
        </item>
        <item>
          <name>SSL_METHOD_ALL</name>
          <description>
           Permit the use of all the supported (SSLv2, SSLv3, and TLSv1) 
protocols.
          </description>
        </item>
      </enum>

There is also:
SSL_METHOD_SSLV23       = "SSLv23"
SSL_METHOD_SSLV2        = "SSLv2"
SSL_METHOD_SSLV3        = "SSLv3"
SSL_METHOD_TLSV1        = "TLSv1"
SSL_METHOD_ALL          = "SSLv23"

So at least the documentation about SSL_METHOD_SSLV23 is wrong,
since it's actually the same as SSL_METHOD_ALL.  The SSLv23_*
methods are the only ones that support multiple protocol versions,
and that currently includes up to TLS 1.2.

I recommend to only use the SSLv23_* methods, the others will go
away in the future.  If you want to limit the support to a
protocol version I suggest you use the SSL(_CTX)_set_options()
options with something like SSL_OP_NO_SSLv3.


Kurt

Reply via email to