Source: medusa
Version: 2.1.1-1
Severity: serious
Control: block 797926 by -1
Hi,
SSLv3 support has been removed in Debian and as a result your
package now fails to build. The code looks like this:
/* The SSL context can support SSLv2, SSLv3, or both. The default is to use
whatever
the server demands. The module can override this by setting nSSLVersion. */
/* Debian's OpenSSL has SSLv2 support disabled. */
#ifndef OPENSSL_NO_SSL2
if (pParams->nSSLVersion == 2)
sslContext = SSL_CTX_new(SSLv2_client_method());
else
#endif
if (pParams->nSSLVersion == 3)
sslContext = SSL_CTX_new(SSLv3_client_method());
else if (pParams->nSSLVersion == (float)3.1)
sslContext = SSL_CTX_new(TLSv1_client_method());
else
sslContext = SSL_CTX_new(SSLv23_client_method());
And then you seem to have various code doing things like:
params.nSSLVersion = 3.1; /* Force the use of TLSv1 */
And one location doing:
params.nSSLVersion = 3; /* VMware Authentication Daemon requires
SSLv3 */
There doesn't seem to be a default value for nSSLVersion, so I
assume it's 0 in which case you should end up at the
SSLv23_* method.
Please note that SSLv3 support has been completly removed in
the new version. If that VMware Authentication Daemon still
requires SSLv3 it's just not going to work anymore.
The SSLv23_* methods are the only ones that support multiple
protocol versions and I suggest you only use those. The others
will go away in the future.
If there is a need to limit the protocol please use
SSL_(CTX_)set_options with something like SSL_OP_NO_SSLv3.
Kurt
