[squid-dev] cope with OPENSSL_NO_SSL3 builds of (libre|open)ssl

Tsantilas Christos chtsanti at users.sourceforge.net
Thu Sep 10 16:50:49 UTC 2015


On 09/10/2015 04:07 PM, Stuart Henderson wrote:
> LibreSSL has removed SSLv3, and it can be disabled optionally in OpenSSL
> by building with no_ssl3. The patch below allows building against such a

I suppose that LibreSSL wants to forces as to use the TLS isntead of 
sslv3, so maybe it is better to try use the TLS_method() instead of 
SSLv23_method.

Also, with a very quick view looks that the  libreSSL TLS_method() is 
equivalent to openSSL TLSv1_2_method() method...





> library. The diff to support.cc is straightforward, bio.cc rationale was
> discussed at https://marc.info/?l=openbsd-tech&m=144079285816974&w=2,
> but please let me know if we got things wrong.
>
> --- src/ssl/bio.cc.orig	Tue Sep  1 20:52:00 2015
> +++ src/ssl/bio.cc	Fri Sep  4 12:02:24 2015
> @@ -1000,7 +1000,7 @@ Ssl::Bio::sslFeatures::parseV3Hello(const unsigned cha
>
>           ciphers += 2;
>           if (ciphersLen) {
> -            const SSL_METHOD *method = SSLv3_method();
> +            const SSL_METHOD *method = SSLv23_method();
>               const int cs = method->put_cipher_by_char(NULL, NULL);
>               assert(cs > 0);
>               for (size_t i = 0; i < ciphersLen; i += cs) {
> --- src/ssl/support.cc.orig	Sat Aug  1 00:08:17 2015
> +++ src/ssl/support.cc	Fri Aug 28 15:35:53 2015
> @@ -1070,8 +1070,13 @@ Ssl::method(int version)
>           break;
>
>       case 3:
> +#if !defined(OPENSSL_NO_SSL3)
>           debugs(83, 5, "Using SSLv3.");
>           return SSLv3_client_method();
> +#else
> +        debugs(83, DBG_IMPORTANT, "SSLv3 is not available in this Proxy.");
> +        return NULL;
> +#endif
>           break;
>
>       case 4:
> @@ -1127,8 +1132,13 @@ Ssl::serverMethod(int version)
>           break;
>
>       case 3:
> +#ifndef OPENSSL_NO_SSL3
>           debugs(83, 5, "Using SSLv3.");
>           return SSLv3_server_method();
> +#else
> +        debugs(83, DBG_IMPORTANT, "SSLv3 is not available in this Proxy.");
> +        return NULL;
> +#endif
>           break;
>
>       case 4:
> @@ -1553,8 +1563,13 @@ Ssl::contextMethod(int version)
>           break;
>
>       case 3:
> +#ifndef OPENSSL_NO_SSL3
>           debugs(83, 5, "Using SSLv3.");
>           method = SSLv3_server_method();
> +#else
> +        debugs(83, DBG_IMPORTANT, "SSLv3 is not available in this Proxy.");
> +        return NULL;
> +#endif
>           break;
>
>       case 4:
>
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev


More information about the squid-dev mailing list