Bug#803975: libcrypt-ssleay-perl: Uses SSLv3_client_method()

[Kurt Roeckx]

Source: libcrypt-ssleay-perl
Version: 0.58-1
Severity: serious

Hi,

Your package has code in SSLeay.xs that does:
        if(ssl_version == 23) {
            ctx = SSL_CTX_new(SSLv23_client_method());
        }
        else if(ssl_version == 3) {
            ctx = SSL_CTX_new(SSLv3_client_method());
        }
        else {
#ifndef OPENSSL_NO_SSL2
            /* v2 is the default */
            ctx = SSL_CTX_new(SSLv2_client_method());
#else
            /* v3 is the default */
            ctx = SSL_CTX_new(SSLv3_client_method());
#endif
        }


You really only ever want to use SSLv23_client_method() since that
is the only one that supports multiple versions.  I suggest you
modify your nossl2.patch to just replace all of the above by:
	ctx = SSL_CTX_new(SSLv23_client_method());

ssl_version would then become an unused variable.

Just like SSLv2 has already been removed, SSLv3 is now also
removed because it's insecure.


Kurt