[Pkg-openssl-devel] Bug#871433: poco: please switch to SSLv23_… or TLS_…_method
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Mon Aug 7 22:11:02 UTC 2017
Package: poco
Version: 1.7.6+dfsg1-5
Severity: important
User: pkg-openssl-devel at lists.alioth.debian.org
Usertags: TLS1.0_1.1_removal
Your packages uses a function which requests a TLS1.0 and/or TLS1.1 only
connection. Since openssl 1.1.0f-4 (currently in unstable) this means
won't work because it provides TLS1.2. See also [0].
Please switch to
SSLv23_method() | SSLv23_server_method() | SSLv23_client_method()
or the recommended openssl 1.1+ functions:
TLS_method() | TLS_server_method() | TLS_client_method()
as per man-page [1].
The code I identified and probably needs to be replaced:
poco-1.7.8+dfsg1/NetSSL_OpenSSL/src/Context.cpp:
| void Context::createSSLContext()
| {
| if (SSLManager::isFIPSEnabled())
| {
| _pSSLContext = SSL_CTX_new(TLSv1_method());
| }
| else
| {
the else path looks okay but the FIPS enabled mode looks non-working.
An example for replacing a TLSv1 only connection with any possible
version would look like this:
- ctx = SSL_CTX_new(TLSv1_client_method());
+ ctx = SSL_CTX_new(SSLv23_client_method());
If you want to use the openssl 1.1 function you need extra version
checks:
- ctx = SSL_CTX_new(TLSv1_client_method());
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
+ !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
+ ctx = SSL_CTX_new (TLS_client_method ());
+#else
+ ctx = SSL_CTX_new (SSLv23_client_method ());
+#endif
Note that that openssl is usually configured (at build time) to not
allow SSLv2 and SSLv3 connections. However if upstream wants to be sure
to have it disable you can add this:
+#ifdef OPENSSL_NO_SSL3
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
+#endif
+
+#ifdef OPENSSL_NO_SSL2
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+#endif
to make sure it is not used for a connection even if the currently
install libssl library is supporting it.
[0] https://lists.debian.org/msgid-search/20170807014238.mf64rdvgpdkpaiwa@roeckx.be
[1] https://manpages.debian.org/stretch/libssl-doc/SSLv23_method.3ssl.en.html
Sebastian
More information about the Pkg-openssl-devel
mailing list