[squid-dev] cope with OPENSSL_NO_SSL3 builds of (libre|open)ssl

Stuart Henderson stu at spacehopper.org
Thu Sep 10 13:07:08 UTC 2015


LibreSSL has removed SSLv3, and it can be disabled optionally in OpenSSL
by building with no_ssl3. The patch below allows building against such a
library. The diff to support.cc is straightforward, bio.cc rationale was
discussed at https://marc.info/?l=openbsd-tech&m=144079285816974&w=2,
but please let me know if we got things wrong.

--- src/ssl/bio.cc.orig	Tue Sep  1 20:52:00 2015
+++ src/ssl/bio.cc	Fri Sep  4 12:02:24 2015
@@ -1000,7 +1000,7 @@ Ssl::Bio::sslFeatures::parseV3Hello(const unsigned cha
 
         ciphers += 2;
         if (ciphersLen) {
-            const SSL_METHOD *method = SSLv3_method();
+            const SSL_METHOD *method = SSLv23_method();
             const int cs = method->put_cipher_by_char(NULL, NULL);
             assert(cs > 0);
             for (size_t i = 0; i < ciphersLen; i += cs) {
--- src/ssl/support.cc.orig	Sat Aug  1 00:08:17 2015
+++ src/ssl/support.cc	Fri Aug 28 15:35:53 2015
@@ -1070,8 +1070,13 @@ Ssl::method(int version)
         break;
 
     case 3:
+#if !defined(OPENSSL_NO_SSL3)
         debugs(83, 5, "Using SSLv3.");
         return SSLv3_client_method();
+#else
+        debugs(83, DBG_IMPORTANT, "SSLv3 is not available in this Proxy.");
+        return NULL;
+#endif
         break;
 
     case 4:
@@ -1127,8 +1132,13 @@ Ssl::serverMethod(int version)
         break;
 
     case 3:
+#ifndef OPENSSL_NO_SSL3
         debugs(83, 5, "Using SSLv3.");
         return SSLv3_server_method();
+#else
+        debugs(83, DBG_IMPORTANT, "SSLv3 is not available in this Proxy.");
+        return NULL;
+#endif
         break;
 
     case 4:
@@ -1553,8 +1563,13 @@ Ssl::contextMethod(int version)
         break;
 
     case 3:
+#ifndef OPENSSL_NO_SSL3
         debugs(83, 5, "Using SSLv3.");
         method = SSLv3_server_method();
+#else
+        debugs(83, DBG_IMPORTANT, "SSLv3 is not available in this Proxy.");
+        return NULL;
+#endif
         break;
 
     case 4:




More information about the squid-dev mailing list