package: ircd-hybrid
version: 1:7.2.2.dfsg.2-10
tags: security patch
Control: fixed -1 1:8.0.4.dfsg.1-1
So I looked how to disable SSLv3 in ircd-hybrid and didn't find
anything. It seems that in the v8 version they disable SSLv2 and SSLv3
while in the v7 version they only disable SSLv2.
I applied the change at the bottom of this mail to disable SSLv3 in the v7
version which is currently in Wheezy.
Giving the fact that one should disable SSLv3 and that this package has
to be manually recompiled in order to enable SSL at all - how are the
chances that an update hits Wheezy? :)
diff --git a/src/ircd.c b/src/ircd.c
--- a/src/ircd.c
+++ b/src/ircd.c
@@ -512,7 +512,7 @@ init_ssl(void)
ilog(L_CRIT, "ERROR: Could not initialize the SSL context -- %s\n", s);
}
- SSL_CTX_set_options(ServerInfo.ctx, SSL_OP_NO_SSLv2);
+ SSL_CTX_set_options(ServerInfo.ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
SSL_CTX_set_options(ServerInfo.ctx, SSL_OP_TLS_ROLLBACK_BUG|SSL_OP_ALL);
SSL_CTX_set_verify(ServerInfo.ctx, SSL_VERIFY_NONE, NULL);
--
1.7.10.4
Sebastian
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
