On 11/14/2015 09:02 AM, Alex Rousskov wrote: > If we can provide a small better fix, we will. If a better fix requires > too many unrelated changes to this Polygraph version, we will provide a > patch that disables SSLv3 (until a recent Polygraph version with a > comprehensive fix is released).
The attached patch allows Polygraph to be built with OpenSSL that does not support SSLv3 while preserving legacy functionality for those who need it. HTH, Alex.
Support OpenSSL builds without SSLv3 support. This patch is for Polygraph version 4.3.2-1.2 used by Debian. diff --git a/src/xstd/Ssl.cc b/src/xstd/Ssl.cc index 92f81b2..141110e 100644 --- a/src/xstd/Ssl.cc +++ b/src/xstd/Ssl.cc @@ -1,68 +1,76 @@ /* Web Polygraph http://www.web-polygraph.org/ * Copyright 2003-2011 The Measurement Factory * Licensed under the Apache License, Version 2.0 */ #include "xstd/xstd.h" #if OPENSSL_ENABLED #include <openssl/err.h> #include <openssl/rand.h> #endif #include "xstd/Assert.h" #include "xstd/String.h" #include "xstd/Ssl.h" +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) +#define SecureProtoAny_method TLS_method +#else +#define SecureProtoAny_method SSLv23_method +#endif + int Ssl::TheLevel = 0; // XXX: we should set the [SSL] error when SSL library is not found // XXX: we should set the global error to an SSL error when an SSL call fails /* SslCtx class */ SslCtx::SslCtx(SslProtocol protocol, const String &cipher): theCtx(0) { #if OPENSSL_ENABLED Must(IsProtocolSupported(protocol)); /* Pass *_method() result directly to SSL_CTX_new(3) instead * of storing it in a variable and calling SSL_CTX_new(3) * once. These functions use const types in OpenSSL 1.0 and * non-const types in older OpenSSL versions and it breaks the * build. */ switch(protocol) { case SSLv2: #ifndef OPENSSL_NO_SSL2 theCtx = ::SSL_CTX_new(::SSLv2_method()); #endif break; case TLSv1: theCtx = ::SSL_CTX_new(::TLSv1_method()); break; case SSLv3: +#ifndef OPENSSL_NO_SSL3_METHOD theCtx = ::SSL_CTX_new(::SSLv3_method()); +#endif break; case SSLv23: - theCtx = ::SSL_CTX_new(::SSLv23_method()); + theCtx = ::SSL_CTX_new(::SecureProtoAny_method()); break; default: - theCtx = ::SSL_CTX_new(::SSLv23_method()); + theCtx = ::SSL_CTX_new(::SecureProtoAny_method()); Should(false); } Must(theCtx); Must(::SSL_CTX_set_cipher_list(theCtx, cipher.cstr())); #endif } SslCtx::SslCtx(const SslCtx &anSslCtx) { Assert(false); } SslCtx::~SslCtx() { #if OPENSSL_ENABLED if (theCtx) ::SSL_CTX_free(theCtx); #endif } SslCtx &SslCtx::operator =(const SslCtx &anSslCtx) { Assert(false);
