Source: medusa Version: 2.1.1-1 Severity: serious Control: block 797926 by -1
Hi, SSLv3 support has been removed in Debian and as a result your package now fails to build. The code looks like this: /* The SSL context can support SSLv2, SSLv3, or both. The default is to use whatever the server demands. The module can override this by setting nSSLVersion. */ /* Debian's OpenSSL has SSLv2 support disabled. */ #ifndef OPENSSL_NO_SSL2 if (pParams->nSSLVersion == 2) sslContext = SSL_CTX_new(SSLv2_client_method()); else #endif if (pParams->nSSLVersion == 3) sslContext = SSL_CTX_new(SSLv3_client_method()); else if (pParams->nSSLVersion == (float)3.1) sslContext = SSL_CTX_new(TLSv1_client_method()); else sslContext = SSL_CTX_new(SSLv23_client_method()); And then you seem to have various code doing things like: params.nSSLVersion = 3.1; /* Force the use of TLSv1 */ And one location doing: params.nSSLVersion = 3; /* VMware Authentication Daemon requires SSLv3 */ There doesn't seem to be a default value for nSSLVersion, so I assume it's 0 in which case you should end up at the SSLv23_* method. Please note that SSLv3 support has been completly removed in the new version. If that VMware Authentication Daemon still requires SSLv3 it's just not going to work anymore. The SSLv23_* methods are the only ones that support multiple protocol versions and I suggest you only use those. The others will go away in the future. If there is a need to limit the protocol please use SSL_(CTX_)set_options with something like SSL_OP_NO_SSLv3. Kurt