Package: curl
Severity: important
Tags: patch
Hi,
I would like to get rid of the SSLv3 methods in openssl. The
patch brings curl in the same state as for SSLv2 in that it
doesn't try and use SSLv3 methods when openssl is build without
SSLv3 support.
I'm using the OPENSSL_NO_SSL3 define which currently actually
means SSLv3 method still exists but where the SSLv23_client_method
stopped doing SSLv3.
In the version in experimental the methods are really dropped and
you can see that by the OPENSSL_NO_SSL3_METHOD define. You could
use that define if you really wanted.
Kurt
--- ./lib/vtls/openssl.c.old 2014-11-08 12:48:34.162629285 +0100
+++ ./lib/vtls/openssl.c 2014-11-08 12:49:42.001175881 +0100
@@ -1546,6 +1546,10 @@
break;
#endif
case CURL_SSLVERSION_SSLv3:
+#ifdef OPENSSL_NO_SSL3
+ failf(data, "OpenSSL was built without SSLv3 support");
+ return CURLE_NOT_BUILT_IN;
+#else
#ifdef USE_TLS_SRP
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP)
return CURLE_SSL_CONNECT_ERROR;
@@ -1553,6 +1557,7 @@
req_method = SSLv3_client_method();
use_sni(FALSE);
break;
+#endif
}
if(connssl->ctx)
