Bug#803975: libcrypt-ssleay-perl: Uses SSLv3_client_method()

Niko Tyni ntyni at debian.org
Fri Nov 6 19:22:04 UTC 2015


On Fri, Nov 06, 2015 at 05:48:32PM +0100, gregor herrmann wrote:

> I have to admit that I'm still not completely sure if/how this
> affects us packaging-wise. My current understanding is, that the
> library would allow to set SSLv3 via HTTPS_VERSION which will fail
> now on Debian but that it should just work fine with the default
> values. Is this correct?

As discussed on IRC, it looks to me like there's no code support for
HTTPS_VERSION in 0.73_04 anymore. It seems to be just a leftover in
the docs.

The upstream code in 0.73_04 now uses SSLv23_client_method() with
 SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3
by default, and with
 SSL_OP_ALL | SSL_OP_NO_SSLv2
if the (currently undocumented) environment variable
CRYPT_SSLEAY_ALLOW_SSLv3 is set.

This seems to be pretty much we want, so I think uploading 0.73_04 is
the way to fix this bug. The docs could be improved a bit of course.
-- 
Niko Tyni   ntyni at debian.org



More information about the pkg-perl-maintainers mailing list