Bug#803975: libcrypt-ssleay-perl: Uses SSLv3_client_method()
gregor herrmann
gregoa at debian.org
Tue Nov 3 20:56:36 UTC 2015
On Tue, 03 Nov 2015 20:50:43 +0100, Kurt Roeckx wrote:
> You really only ever want to use SSLv23_client_method() since that
> is the only one that supports multiple versions. I suggest you
> modify your nossl2.patch to just replace all of the above by:
> ctx = SSL_CTX_new(SSLv23_client_method());
>
> ssl_version would then become an unused variable.
>
> Just like SSLv2 has already been removed, SSLv3 is now also
> removed because it's insecure.
Some findings:
- nossl2.patch doesn't exist anymore in git, since it was merged
upstream, and we have 0.72 in git but never uploaded due to some
packaging glitches (and then the freeze)
- 0.72 is the last upstream release and contains this code
- upstream has in the meantime changed it in a dev release on the
CPAN (0.73_04) [0] and in git [1]:
[0] https://metacpan.org/diff/file?target=NANIS%2FCrypt-SSLeay-0.73_04%2F&source=NANIS%2FCrypt-SSLeay-0.72%2F#SSLeay.xs
[1] https://github.com/nanis/Crypt-SSLeay/blob/0.73_04/SSLeay.xs
At a quick glance this looks good, since there's only
SSLv23_client_method() left. What confuses me a bit is
- in the .xs file the allow_sslv3 variable
- in the .pm file the HTTPS_VERSION environmen variable.
Cheers,
gregor
--
.''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
: :' : Debian GNU/Linux user, admin, and developer - https://www.debian.org/
`. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
`- NP: Leonard Cohen: Amen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital Signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20151103/ee6c7617/attachment.sig>
More information about the pkg-perl-maintainers
mailing list