[squid-dev] cope with OPENSSL_NO_SSL3 builds of (libre|open)ssl
Amos Jeffries
squid3 at treenet.co.nz
Thu Sep 10 20:09:04 UTC 2015
On 11/09/2015 4:50 a.m., Tsantilas Christos wrote:
> On 09/10/2015 04:07 PM, Stuart Henderson wrote:
>> LibreSSL has removed SSLv3, and it can be disabled optionally in OpenSSL
>> by building with no_ssl3. The patch below allows building against such a
>
> I suppose that LibreSSL wants to forces as to use the TLS isntead of
> sslv3, so maybe it is better to try use the TLS_method() instead of
> SSLv23_method.
>
> Also, with a very quick view looks that the libreSSL TLS_method() is
> equivalent to openSSL TLSv1_2_method() method...
Yes, maybe and no :
Yes - LibreSSL is following the SSLv2/SSLv3 deprecation RFCs very
closely. Upcoming OpenSSL versions will be too, eventually. So those
using the very latest libraries get the very latest up-to-date
specification requirements applied.
We need to support use of those libraries, but also use of older
libraries. So #if wrapping these functions is now required. We just need
to sort out which ones.
* The ssl/support.cc part of this looks correct (for 3.5).
* The bio.cc part ...
Maybe - If I'm reading the OpenSSL docs right the SSLv3_method was
producing a fixed specific method to negotiate SSLv3-only protocol. The
TLS_method is negotiating any TLS version. I think use of SSLv3_method
was a bug to begin with and TLS_method()/SSLv23_method() would be
correct now.
[ IMO we should rename parseV23Hello to parseV2Hello to clarify that it
parses a v2 syntax hello. Avoid confusing with SSL*_method() vs
TLS_method() relevance. ]
No - TLS_method() is *not* equivalent to TLSv1_2_method(). It is
equivalent to SSLv23_method() / SSLv23_server_method(). All of those may
or may not produce TLSv1_2_method() as their output depending on the
config settings.
Assuming the patch is correct in swapping SSLv23_method(). Then it
should actually be swapping to TLS_method() with back-compat #if
wrappers using SSLv23_method(). As seen with uses of the
SSLv23_*_method() functions.
[ I see the parseV23Hello() is using SSLv23_method() bare. That is a bug
waiting to happen when OpenSSL v1.2-1.3 hits us. Which should also be
fixed in this patch scope. ]
Amos
More information about the squid-dev
mailing list