Re: [squid-dev] cope with OPENSSL_NO_SSL3 builds of (libre|open)ssl

Thu, 10 Sep 2015 09:51:30 -0700 

On 09/10/2015 04:07 PM, Stuart Henderson wrote:

LibreSSL has removed SSLv3, and it can be disabled optionally in OpenSSL
by building with no_ssl3. The patch below allows building against such a



I suppose that LibreSSL wants to forces as to use the TLS isntead of 
sslv3, so maybe it is better to try use the TLS_method() instead of 
SSLv23_method.



Also, with a very quick view looks that the  libreSSL TLS_method() is 
equivalent to openSSL TLSv1_2_method() method...







library. The diff to support.cc is straightforward, bio.cc rationale was
discussed at https://marc.info/?l=openbsd-tech&m=144079285816974&w=2,
but please let me know if we got things wrong.

--- src/ssl/bio.cc.orig Tue Sep  1 20:52:00 2015
+++ src/ssl/bio.cc      Fri Sep  4 12:02:24 2015
@@ -1000,7 +1000,7 @@ Ssl::Bio::sslFeatures::parseV3Hello(const unsigned cha

          ciphers += 2;
          if (ciphersLen) {
-            const SSL_METHOD *method = SSLv3_method();
+            const SSL_METHOD *method = SSLv23_method();
              const int cs = method->put_cipher_by_char(NULL, NULL);
              assert(cs > 0);
              for (size_t i = 0; i < ciphersLen; i += cs) {
--- src/ssl/support.cc.orig     Sat Aug  1 00:08:17 2015
+++ src/ssl/support.cc  Fri Aug 28 15:35:53 2015
@@ -1070,8 +1070,13 @@ Ssl::method(int version)
          break;

      case 3:
+#if !defined(OPENSSL_NO_SSL3)
          debugs(83, 5, "Using SSLv3.");
          return SSLv3_client_method();
+#else
+        debugs(83, DBG_IMPORTANT, "SSLv3 is not available in this Proxy.");
+        return NULL;
+#endif
          break;

      case 4:
@@ -1127,8 +1132,13 @@ Ssl::serverMethod(int version)
          break;

      case 3:
+#ifndef OPENSSL_NO_SSL3
          debugs(83, 5, "Using SSLv3.");
          return SSLv3_server_method();
+#else
+        debugs(83, DBG_IMPORTANT, "SSLv3 is not available in this Proxy.");
+        return NULL;
+#endif
          break;

      case 4:
@@ -1553,8 +1563,13 @@ Ssl::contextMethod(int version)
          break;

      case 3:
+#ifndef OPENSSL_NO_SSL3
          debugs(83, 5, "Using SSLv3.");
          method = SSLv3_server_method();
+#else
+        debugs(83, DBG_IMPORTANT, "SSLv3 is not available in this Proxy.");
+        return NULL;
+#endif
          break;

      case 4:


_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev

_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev






















					Reply via email to