On Fri, Nov 06, 2015 at 09:22:04PM +0200, Niko Tyni wrote: > On Fri, Nov 06, 2015 at 05:48:32PM +0100, gregor herrmann wrote: > > > I have to admit that I'm still not completely sure if/how this > > affects us packaging-wise. My current understanding is, that the > > library would allow to set SSLv3 via HTTPS_VERSION which will fail > > now on Debian but that it should just work fine with the default > > values. Is this correct? > > As discussed on IRC, it looks to me like there's no code support for > HTTPS_VERSION in 0.73_04 anymore. It seems to be just a leftover in > the docs. > > The upstream code in 0.73_04 now uses SSLv23_client_method() with > SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 > by default, and with > SSL_OP_ALL | SSL_OP_NO_SSLv2 > if the (currently undocumented) environment variable > CRYPT_SSLEAY_ALLOW_SSLv3 is set. > > This seems to be pretty much we want, so I think uploading 0.73_04 is > the way to fix this bug. The docs could be improved a bit of course.
Yes, that looks good to me. Kurt