Source: polygraph
Version: 4.3.2-1.2
Severity: serious
Control: block 797926 by -1
Hi,
The SSLv3 method has been disabled in openssl and as a result your
package no longer build.
The code looks like this:
switch(protocol) {
case SSLv2:
#ifndef OPENSSL_NO_SSL2
theCtx = ::SSL_CTX_new(::SSLv2_method());
#endif
break;
case TLSv1:
theCtx = ::SSL_CTX_new(::TLSv1_method());
break;
case SSLv3:
theCtx = ::SSL_CTX_new(::SSLv3_method());
break;
case SSLv23:
theCtx = ::SSL_CTX_new(::SSLv23_method());
break;
default:
theCtx = ::SSL_CTX_new(::SSLv23_method());
Should(false);
}
I suggest you remove all of that and only use SSLv23_method().
All the other are version specific methods, only SSLv23_* speaks
multiple versions.
If you want to support selection of versions, I suggest you use
SSL_(CTX)_set_options with something like SSL_OP_NO_SSLv3.
Kurt
