On 11/09/2015 4:50 a.m., Tsantilas Christos wrote: > On 09/10/2015 04:07 PM, Stuart Henderson wrote: >> LibreSSL has removed SSLv3, and it can be disabled optionally in OpenSSL >> by building with no_ssl3. The patch below allows building against such a > > I suppose that LibreSSL wants to forces as to use the TLS isntead of > sslv3, so maybe it is better to try use the TLS_method() instead of > SSLv23_method. > > Also, with a very quick view looks that the libreSSL TLS_method() is > equivalent to openSSL TLSv1_2_method() method...
Yes, maybe and no : Yes - LibreSSL is following the SSLv2/SSLv3 deprecation RFCs very closely. Upcoming OpenSSL versions will be too, eventually. So those using the very latest libraries get the very latest up-to-date specification requirements applied. We need to support use of those libraries, but also use of older libraries. So #if wrapping these functions is now required. We just need to sort out which ones. * The ssl/support.cc part of this looks correct (for 3.5). * The bio.cc part ... Maybe - If I'm reading the OpenSSL docs right the SSLv3_method was producing a fixed specific method to negotiate SSLv3-only protocol. The TLS_method is negotiating any TLS version. I think use of SSLv3_method was a bug to begin with and TLS_method()/SSLv23_method() would be correct now. [ IMO we should rename parseV23Hello to parseV2Hello to clarify that it parses a v2 syntax hello. Avoid confusing with SSL*_method() vs TLS_method() relevance. ] No - TLS_method() is *not* equivalent to TLSv1_2_method(). It is equivalent to SSLv23_method() / SSLv23_server_method(). All of those may or may not produce TLSv1_2_method() as their output depending on the config settings. Assuming the patch is correct in swapping SSLv23_method(). Then it should actually be swapping to TLS_method() with back-compat #if wrappers using SSLv23_method(). As seen with uses of the SSLv23_*_method() functions. [ I see the parseV23Hello() is using SSLv23_method() bare. That is a bug waiting to happen when OpenSSL v1.2-1.3 hits us. Which should also be fixed in this patch scope. ] Amos _______________________________________________ squid-dev mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-dev
