On Friday 28 August 2015 13:19:17 Stuart Henderson wrote: > Any suggestions as to what might be needed here, can the SSLv3_method > just be replaced with SSLv23_method?
Yes, that should be fine. The code is parsing an SSLv3/TLS client hello message and it is then mapping the ciphersuites to libssl ciphers. I'm guessing the reason for using SSLv3_method() here is to avoid picking up SSLv2 ciphers. Fun fact - due to what is effectively a design flaw, the ciphers returned from SSLv3_method() include TLS1.0 and TLS1.2 ciphers... > http://bazaar.launchpad.net/~squid/squid/3.5/view/head:/src/ssl/bio.cc#L1009 > | ciphers += 2; > | if (ciphersLen) { > | > | const SSL_METHOD *method = SSLv3_method(); > > ^^^^^^^^^^^^ > > | const int cs = method->put_cipher_by_char(NULL, NULL); > | assert(cs > 0); > | for (size_t i = 0; i < ciphersLen; i += cs) { > | > | const SSL_CIPHER *c = method->get_cipher_by_char((ciphers + > | i)); > | if (c != NULL) { > | > | if (!clientRequestedCiphers.empty()) > | > | clientRequestedCiphers.append(":"); > | > | clientRequestedCiphers.append(c->name); > | > | } else > | > | unknownCiphers = true; > | > | } > | > | } > | debugs(83, 7, "Ciphers requested by client: " << > | clientRequestedCiphers);
