Bug#803975: libcrypt-ssleay-perl: Uses SSLv3_client_method()
Kurt Roeckx
kurt at roeckx.be
Fri Nov 6 21:07:25 UTC 2015
On Fri, Nov 06, 2015 at 09:22:04PM +0200, Niko Tyni wrote:
> On Fri, Nov 06, 2015 at 05:48:32PM +0100, gregor herrmann wrote:
>
> > I have to admit that I'm still not completely sure if/how this
> > affects us packaging-wise. My current understanding is, that the
> > library would allow to set SSLv3 via HTTPS_VERSION which will fail
> > now on Debian but that it should just work fine with the default
> > values. Is this correct?
>
> As discussed on IRC, it looks to me like there's no code support for
> HTTPS_VERSION in 0.73_04 anymore. It seems to be just a leftover in
> the docs.
>
> The upstream code in 0.73_04 now uses SSLv23_client_method() with
> SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3
> by default, and with
> SSL_OP_ALL | SSL_OP_NO_SSLv2
> if the (currently undocumented) environment variable
> CRYPT_SSLEAY_ALLOW_SSLv3 is set.
>
> This seems to be pretty much we want, so I think uploading 0.73_04 is
> the way to fix this bug. The docs could be improved a bit of course.
Yes, that looks good to me.
Kurt
More information about the pkg-perl-maintainers
mailing list