Package: curl Severity: important Tags: patch Hi,
I would like to get rid of the SSLv3 methods in openssl. The patch brings curl in the same state as for SSLv2 in that it doesn't try and use SSLv3 methods when openssl is build without SSLv3 support. I'm using the OPENSSL_NO_SSL3 define which currently actually means SSLv3 method still exists but where the SSLv23_client_method stopped doing SSLv3. In the version in experimental the methods are really dropped and you can see that by the OPENSSL_NO_SSL3_METHOD define. You could use that define if you really wanted. Kurt
--- ./lib/vtls/openssl.c.old 2014-11-08 12:48:34.162629285 +0100 +++ ./lib/vtls/openssl.c 2014-11-08 12:49:42.001175881 +0100 @@ -1546,6 +1546,10 @@ break; #endif case CURL_SSLVERSION_SSLv3: +#ifdef OPENSSL_NO_SSL3 + failf(data, "OpenSSL was built without SSLv3 support"); + return CURLE_NOT_BUILT_IN; +#else #ifdef USE_TLS_SRP if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) return CURLE_SSL_CONNECT_ERROR; @@ -1553,6 +1557,7 @@ req_method = SSLv3_client_method(); use_sni(FALSE); break; +#endif } if(connssl->ctx)