Package: haproxy Version: 1.5.8
As Described the problem: https://www.rfc-editor.org/rfc/rfc7568.txt According to rfc7568, sslv3 is no longer considered secure. This patch disables sslv3 if the system's openssl is compiled without it. (Jessie) Below is a transcript: --- haproxy-1.5.8.orig/src/ssl_sock.c +++ haproxy-1.5.8/src/ssl_sock.c @@ -1506,8 +1506,14 @@ int ssl_sock_prepare_ctx(struct bind_con ssloptions |= SSL_OP_NO_TLSv1_2; if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS) ssloptions |= SSL_OP_NO_TICKET; - if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3) + if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3) { +#ifndef OPENSSL_NO_SSL3 SSL_CTX_set_ssl_version(ctx, SSLv3_server_method()); +#else + Alert("SSLv3 support requested but unavailable.\n"); + cfgerr++; +#endif + } if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV10) SSL_CTX_set_ssl_version(ctx, TLSv1_server_method()); #if SSL_OP_NO_TLSv1_1 @@ -1853,8 +1859,14 @@ int ssl_sock_prepare_srv_ctx(struct serv options |= SSL_OP_NO_TLSv1_2; if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS) options |= SSL_OP_NO_TICKET; - if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3) + if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3) { +#ifndef OPENSSL_NO_SSL3 SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method()); +#else + Alert("SSLv3 support requested but unavailable."); + cfgerr++; +#endif + } if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10) SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_client_method()); #if SSL_OP_NO_TLSv1_1 I am using Debian GNU/Linux 8 (Jessie) , Kernel 3.16.7-ckt25-1 and GLIBC 2.19-18+deb8u4
