Source: libcrypt-ssleay-perl Version: 0.58-1 Severity: serious Hi,
Your package has code in SSLeay.xs that does: if(ssl_version == 23) { ctx = SSL_CTX_new(SSLv23_client_method()); } else if(ssl_version == 3) { ctx = SSL_CTX_new(SSLv3_client_method()); } else { #ifndef OPENSSL_NO_SSL2 /* v2 is the default */ ctx = SSL_CTX_new(SSLv2_client_method()); #else /* v3 is the default */ ctx = SSL_CTX_new(SSLv3_client_method()); #endif } You really only ever want to use SSLv23_client_method() since that is the only one that supports multiple versions. I suggest you modify your nossl2.patch to just replace all of the above by: ctx = SSL_CTX_new(SSLv23_client_method()); ssl_version would then become an unused variable. Just like SSLv2 has already been removed, SSLv3 is now also removed because it's insecure. Kurt