Source: ace Version: 6.3.2+dfsg-1 Severity: serious Control: block 797926 by -1
Ace has various code that can use functions like SSLv3_client_method(). For SSL2 you currently already do use OPENSSL_NO_SSL2. Please also use OPENSSL_NO_SSL3 to remove support for the SSLv3 methods. It seems that by default you use SSLv3_method(). Please use SSLv23_method() by default. Only the SSLv23_* methods support multiple version of the protocol, while things like SSLv3_* will only support that specific protocol version. In the long run, we're going to remove all the version specific methods so only the current SSLv23_* methods will keep existing. (It has been renamed to TLS_* in the master branch.) So I recommend that you get rid of all the other version specific functions. It seems you already have support for limiting the versions of SSLv23_* by using things like SSL_OP_NO_SSLv3. Kurt
