Am 17.02.2018 um 04:22 schrieb Doug Hardie: > I have encountered an interesting situation while trying to resolve a PR on > qpopper. I am unable to build qpopper on 11.1 (and probably 11.0) because > the openssl function SSLv3_server_method has been removed. I can see where > the SSLv2 functions are disabled in ssl.h, but the SSLv3 functions appear > that they should be there. nm on libssl shows they are there. Clang's > linker can't link to them. One of the qpopper users' indicates that the > problem does not exist on 10.4. I believe the loss of the SSLv3 methods is a > bug and have filed Bug report.
It is a deliberate security measure to remove SSLv3 methods, and not a bug. The protocol is broken. > Resolution of that PR will obviously take some time. The question at hand is > what to do in the meantime. I am guessing the packages must be built on 10.x > or there would be a report of the problem. I can easily change the code, via > a patch, to use SSLv23_server_method in all cases, or the preferred > TLSv1_server_method. That will eliminate the options to restrict qpopper to > SSLv2 or SSLv3. This does not appear to be an issue for those running 11.x. > However, it is for those using 10.x and earlier. Given the security issues > today, I can't imagine anyone wanting to use those options, but it is > possible someone is using them. Switching to the TLSv1_server_method will > remove that capability for them. Use SSLv23_server_method(), and use code to block out SSLv2 + SSLv3 on those systems that still support them - which depends on the OpenSSL/LibreSSL version, however: Older OpenSSL and LibreSSL require SSL_OP_NO_SSLv3 and SSL_OP_NO_SSLv2 set through ..._set_options() on the SSL or CTX, newer OpenSSL (1.1.0+) have ..._set_min_proto_version(..., TLS1_VERSION). _______________________________________________ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
