On Fri, Nov 06, 2015 at 05:48:32PM +0100, gregor herrmann wrote: > I have to admit that I'm still not completely sure if/how this > affects us packaging-wise. My current understanding is, that the > library would allow to set SSLv3 via HTTPS_VERSION which will fail > now on Debian but that it should just work fine with the default > values. Is this correct?
As discussed on IRC, it looks to me like there's no code support for HTTPS_VERSION in 0.73_04 anymore. It seems to be just a leftover in the docs. The upstream code in 0.73_04 now uses SSLv23_client_method() with SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 by default, and with SSL_OP_ALL | SSL_OP_NO_SSLv2 if the (currently undocumented) environment variable CRYPT_SSLEAY_ALLOW_SSLv3 is set. This seems to be pretty much we want, so I think uploading 0.73_04 is the way to fix this bug. The docs could be improved a bit of course. -- Niko Tyni nt...@debian.org
