[squid-dev] cope with OPENSSL_NO_SSL3 builds of (libre|open)ssl
Stuart Henderson
stu at spacehopper.org
Thu Sep 10 13:07:08 UTC 2015
LibreSSL has removed SSLv3, and it can be disabled optionally in OpenSSL
by building with no_ssl3. The patch below allows building against such a
library. The diff to support.cc is straightforward, bio.cc rationale was
discussed at https://marc.info/?l=openbsd-tech&m=144079285816974&w=2,
but please let me know if we got things wrong.
--- src/ssl/bio.cc.orig Tue Sep 1 20:52:00 2015
+++ src/ssl/bio.cc Fri Sep 4 12:02:24 2015
@@ -1000,7 +1000,7 @@ Ssl::Bio::sslFeatures::parseV3Hello(const unsigned cha
ciphers += 2;
if (ciphersLen) {
- const SSL_METHOD *method = SSLv3_method();
+ const SSL_METHOD *method = SSLv23_method();
const int cs = method->put_cipher_by_char(NULL, NULL);
assert(cs > 0);
for (size_t i = 0; i < ciphersLen; i += cs) {
--- src/ssl/support.cc.orig Sat Aug 1 00:08:17 2015
+++ src/ssl/support.cc Fri Aug 28 15:35:53 2015
@@ -1070,8 +1070,13 @@ Ssl::method(int version)
break;
case 3:
+#if !defined(OPENSSL_NO_SSL3)
debugs(83, 5, "Using SSLv3.");
return SSLv3_client_method();
+#else
+ debugs(83, DBG_IMPORTANT, "SSLv3 is not available in this Proxy.");
+ return NULL;
+#endif
break;
case 4:
@@ -1127,8 +1132,13 @@ Ssl::serverMethod(int version)
break;
case 3:
+#ifndef OPENSSL_NO_SSL3
debugs(83, 5, "Using SSLv3.");
return SSLv3_server_method();
+#else
+ debugs(83, DBG_IMPORTANT, "SSLv3 is not available in this Proxy.");
+ return NULL;
+#endif
break;
case 4:
@@ -1553,8 +1563,13 @@ Ssl::contextMethod(int version)
break;
case 3:
+#ifndef OPENSSL_NO_SSL3
debugs(83, 5, "Using SSLv3.");
method = SSLv3_server_method();
+#else
+ debugs(83, DBG_IMPORTANT, "SSLv3 is not available in this Proxy.");
+ return NULL;
+#endif
break;
case 4:
More information about the squid-dev
mailing list