Some SSLv3 parts (e.g. SSLv3 ciphers) are built in even if ssl3
support is disabled.
Attached patch fixes it:
diff -Nru openssl-1.0.1j.orig/ssl/s3_clnt.c openssl-1.0.1j/ssl/s3_clnt.c
--- openssl-1.0.1j.orig/ssl/s3_clnt.c 2014-10-15 14:53:39.000000000 +0200
+++ openssl-1.0.1j/ssl/s3_clnt.c 2014-10-30 13:52:07.021038200 +0100
@@ -167,9 +167,9 @@
#include <openssl/engine.h>
#endif
-static const SSL_METHOD *ssl3_get_client_method(int ver);
static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
+#ifndef OPENSSL_NO_SSL3
static const SSL_METHOD *ssl3_get_client_method(int ver)
{
if (ver == SSL3_VERSION)
@@ -182,6 +182,7 @@
ssl_undefined_function,
ssl3_connect,
ssl3_get_client_method)
+#endif /* !OPENSSL_NO_SSL3 */
int ssl3_connect(SSL *s)
{
diff -Nru openssl-1.0.1j.orig/ssl/s3_lib.c openssl-1.0.1j/ssl/s3_lib.c
--- openssl-1.0.1j.orig/ssl/s3_lib.c 2014-10-15 14:53:39.000000000 +0200
+++ openssl-1.0.1j/ssl/s3_lib.c 2014-10-30 13:52:07.022038285 +0100
@@ -169,6 +169,7 @@
/* list of available SSLv3 ciphers (sorted by id) */
OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+#ifndef OPENSSL_NO_SSL3
/* The RSA ciphers */
/* Cipher 01 */
{
@@ -883,6 +884,7 @@
128,
},
#endif /* OPENSSL_NO_KRB5 */
+#endif /* OPENSSL_NO_SSL3 */
/* New AES ciphersuites */
/* Cipher 2F */
diff -Nru openssl-1.0.1j.orig/ssl/s3_meth.c openssl-1.0.1j/ssl/s3_meth.c
--- openssl-1.0.1j.orig/ssl/s3_meth.c 2014-10-15 14:51:06.000000000 +0200
+++ openssl-1.0.1j/ssl/s3_meth.c 2014-10-30 13:52:07.023038199 +0100
@@ -59,6 +59,7 @@
#include <stdio.h>
#include <openssl/objects.h>
#include "ssl_locl.h"
+#ifndef OPENSSL_NO_SSL3
static const SSL_METHOD *ssl3_get_method(int ver);
static const SSL_METHOD *ssl3_get_method(int ver)
@@ -74,4 +75,11 @@
ssl3_connect,
ssl3_get_method)
+#else /* !OPENSSL_NO_SSL3 */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
diff -Nru openssl-1.0.1j.orig/ssl/s3_srvr.c openssl-1.0.1j/ssl/s3_srvr.c
--- openssl-1.0.1j.orig/ssl/s3_srvr.c 2014-10-15 14:53:39.000000000 +0200
+++ openssl-1.0.1j/ssl/s3_srvr.c 2014-10-30 13:54:34.043101198 +0100
@@ -170,6 +170,7 @@
#endif
#include <openssl/md5.h>
+#ifndef OPENSSL_NO_SSL3
static const SSL_METHOD *ssl3_get_server_method(int ver);
static const SSL_METHOD *ssl3_get_server_method(int ver)
@@ -180,6 +181,12 @@
return(NULL);
}
+IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
+ ssl3_accept,
+ ssl_undefined_function,
+ ssl3_get_server_method)
+#endif /* !OPENSSL_NO_SSL3 */
+
#ifndef OPENSSL_NO_SRP
static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
{
@@ -206,11 +213,6 @@
}
#endif
-IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
- ssl3_accept,
- ssl_undefined_function,
- ssl3_get_server_method)
-
int ssl3_accept(SSL *s)
{
BUF_MEM *buf;
