1 Description: Add DISABLE_SSLV3 compile-time option
2 Needed to link with Debian's openssl, which has ssl3_{client,server}_method() disabled.
3 Author: Ian Beckwith <ianb@erislabs.net>
4 Forwarded: fdc@columbia.edu
5 Last-Update: 2015-12-14
6 Index: ckermit/ck_ssl.c
7 ===================================================================
8 --- ckermit.orig/ck_ssl.c
10 @@ -1604,10 +1604,12 @@ ssl_tn_init(mode) int mode;
11 /* This can fail because we do not have RSA available */
13 debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
14 +#ifndef DISABLE_SSLV3
15 ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
18 debug(F110,"ssl_tn_init","SSLv3_client_method failed",0);
19 +#endif /* DISABLE_SSLV3 */
23 @@ -1630,10 +1632,14 @@ ssl_tn_init(mode) int mode;
24 debug(F110,"ssl_tn_init","SSLv23_client_method OK",0);
26 debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
27 +#ifndef DISABLE_SSLV3
28 tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
29 +#endif /* DISABLE_SSLV3 */
31 +#ifndef DISABLE_SSLV3
33 - "ssl_tn_init","TLSv1_client_method failed",0);
34 + "ssl_tn_init","SSLv3_client_method failed",0);
35 +#endif /* DISABLE_SSLV3 */
37 "ssl_tn_init","All SSL client methods failed",0);
39 @@ -1651,10 +1657,12 @@ ssl_tn_init(mode) int mode;
40 /* This can fail because we do not have RSA available */
42 debug(F110,"ssl_tn_init","SSLv23_server_method failed",0);
43 +#ifndef DISABLE_SSLV3
44 ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_server_method());
47 debug(F110,"ssl_tn_init","SSLv3_server_method failed",0);
48 +#endif /* DISABLE_SSLV3 */
52 @@ -1688,9 +1696,17 @@ ssl_tn_init(mode) int mode;
53 * that cannot read poorly written specs :-)
54 * for TLS be sure to prevent use of SSLv2
56 - SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2);
57 + SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2
60 +#endif /* DISABLE_SSLV3 */
62 SSL_CTX_set_options(tls_ctx,
63 - SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA);
64 + SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
67 +#endif /* DISABLE_SSLV3 */
70 SSL_CTX_set_info_callback(ssl_ctx,ssl_client_info_callback);
71 SSL_CTX_set_info_callback(tls_ctx,ssl_client_info_callback);
72 @@ -2215,7 +2231,11 @@ ssl_http_init(hostname) char * hostname;
73 * for TLS be sure to prevent use of SSLv2
75 SSL_CTX_set_options(tls_http_ctx,
76 - SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA);
77 + SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
80 +#endif /* DISABLE_SSLV3 */
83 SSL_CTX_set_info_callback(tls_http_ctx,ssl_client_info_callback);
85 Index: ckermit/ckcftp.c
86 ===================================================================
87 --- ckermit.orig/ckcftp.c
89 @@ -10210,9 +10210,11 @@ ssl_auth() {
90 if (ftp_bug_use_ssl_v2) {
91 /* allow SSL 2.0 or later */
92 client_method = SSLv23_client_method();
93 +#ifndef DISABLE_SSLV3
94 } else if (ftp_bug_use_ssl_v3) {
95 /* allow SSL 3.0 ONLY - previous default */
96 client_method = SSLv3_client_method();
97 +#endif /* DISABLE_SSLV3 */
99 /* default - allow TLS 1.0 or later */
100 client_method = TLSv1_client_method();
101 @@ -10223,6 +10225,9 @@ ssl_auth() {
103 SSL_CTX_set_options(ssl_ftp_ctx,
104 SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
105 +#ifdef DISABLE_SSLV3
106 + |SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
107 +#endif /* DISABLE_SSLV3 */
110 ssl_ftp_ctx = SSL_CTX_new(client_method);
111 @@ -10231,6 +10236,9 @@ ssl_auth() {
112 SSL_CTX_set_options(ssl_ftp_ctx,
113 (ftp_bug_use_ssl_v2 ? 0 : SSL_OP_NO_SSLv2)|
114 SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
115 +#ifdef DISABLE_SSLV3
116 + |SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
117 +#endif /* DISABLE_SSLV3 */
120 SSL_CTX_set_default_passwd_cb(ssl_ftp_ctx,