Bug#803975: libcrypt-ssleay-perl: Uses SSLv3_client_method()

Kurt Roeckx kurt at roeckx.be
Tue Nov 3 21:35:10 UTC 2015 

On Tue, Nov 03, 2015 at 10:33:21PM +0100, Kurt Roeckx wrote:
> On Tue, Nov 03, 2015 at 09:56:36PM +0100, gregor herrmann wrote:
> > On Tue, 03 Nov 2015 20:50:43 +0100, Kurt Roeckx wrote:
> > 
> > > You really only ever want to use SSLv23_client_method() since that
> > > is the only one that supports multiple versions.  I suggest you
> > > modify your nossl2.patch to just replace all of the above by:
> > > 	ctx = SSL_CTX_new(SSLv23_client_method());
> > > 
> > > ssl_version would then become an unused variable.
> > > 
> > > Just like SSLv2 has already been removed, SSLv3 is now also
> > > removed because it's insecure.
> > 
> > Some findings:
> > - nossl2.patch doesn't exist anymore in git, since it was merged
> >   upstream, and we have 0.72 in git but never uploaded due to some
> >   packaging glitches (and then the freeze)
> > - 0.72 is the last upstream release and contains this code
> > - upstream has in the meantime changed it in a dev release on the
> >   CPAN (0.73_04) [0] and in git [1]:
> > 
> > [0] https://metacpan.org/diff/file?target=NANIS%2FCrypt-SSLeay-0.73_04%2F&source=NANIS%2FCrypt-SSLeay-0.72%2F#SSLeay.xs
> > [1] https://github.com/nanis/Crypt-SSLeay/blob/0.73_04/SSLeay.xs
> > 
> > 
> > At a quick glance this looks good, since there's only
> > SSLv23_client_method() left. What confuses me a bit is
> > - in the .xs file the allow_sslv3 variable
> > - in the .pm file the HTTPS_VERSION environmen variable.
> 
> Since jessie SSLv23_client_method() doesn't support SSLv3 anymore,
> SSLv2 was removed before.  So "allow_sslv3" doesn't make sense, at
> least in Debian.  If you really wanted to allow SSLv3 the proper
> way to do that was by default set the option SSL_OP_NO_SSLv3 (and
> SSL_OP_NO_SSLv2) and then don't set SSL_OP_NO_SSLv3 when it's
> allowed.  That would be with the SSL_{CTX_}set_options function.
> 
> The code still seems to have a reference to the library when it
> was called ssleay and when TLS didn't exist, at least the version
> I looked at, and so seems to pick between SSLv2 and SSLv3.
> 
> HTTPS_VERSION seems really weird.  There is also a
> $DEFAULT_VERSION set to 23 which then makes it use SSLv3, and
> setting it to 3 makes it use SSLv2?

There is this text:
SSL versions
    "Crypt::SSLeay" tries very hard to connect to *any* SSL web server
    accomodating servers that are buggy, old or simply not
    standards-compliant. To this effect, this module will try SSL
    connections in this order:

    SSL v23
        should allow v2 and v3 servers to pick their best type

    SSL v3
        best connection type

    SSL v2
        old connection type

    Unfortunately, some servers seem not to handle a reconnect to SSL v3
    after a failed connect of SSL v23 is tried, so you may set before using
    LWP or Net::SSL:

        $ENV{HTTPS_VERSION} = 3;

    to force a version 3 SSL connection first. At this time only a version 2
    SSL connection will be tried after this, as the connection attempt order
    remains unchanged by this setting.



Kurt

More information about the pkg-perl-maintainers mailing list