debian/patches/060_disable_sslv3.patch

   1 Description: Add DISABLE_SSLV3 compile-time option
   2  Needed to link with Debian's openssl, which has ssl3_{client,server}_method() disabled.
   3 Author: Ian Beckwith <ianb@erislabs.net>
   4 Forwarded: fdc@columbia.edu
   5 Last-Update: 2015-12-14
   6 Index: ckermit/ck_ssl.c
   7 ===================================================================
   8 --- ckermit.orig/ck_ssl.c
   9 +++ ckermit/ck_ssl.c
  10 @@ -1604,10 +1604,12 @@ ssl_tn_init(mode) int mode;
  11              /* This can fail because we do not have RSA available */
  12              if ( !ssl_ctx ) {
  13                  debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
  14 +#ifndef DISABLE_SSLV3
  15                  ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
  16              }
  17              if ( !ssl_ctx ) {
  18                  debug(F110,"ssl_tn_init","SSLv3_client_method failed",0);
  19 +#endif
  20                  last_ssl_mode = -1;
  21                  return(0);
  22              }
  23 @@ -1630,10 +1632,14 @@ ssl_tn_init(mode) int mode;
  24                      debug(F110,"ssl_tn_init","SSLv23_client_method OK",0);
  25                  } else {
  26                      debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
  27 +#ifndef DISABLE_SSLV3
  28                      tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
  29 +#endif /* DISABLE_SSLV3 */
  30                      if ( !tls_ctx ) {
  31 +#ifndef DISABLE_SSLV3
  32                          debug(F110,
  33 -                              "ssl_tn_init","TLSv1_client_method failed",0);
  34 +                              "ssl_tn_init","SSLv3_client_method failed",0);
  35 +#endif /* DISABLE_SSLV3 */
  36                          debug(F110,
  37                                "ssl_tn_init","All SSL client methods failed",0);
  38                          last_ssl_mode = -1;
  39 @@ -1651,10 +1657,12 @@ ssl_tn_init(mode) int mode;
  40              /* This can fail because we do not have RSA available */
  41              if ( !ssl_ctx ) {
  42                  debug(F110,"ssl_tn_init","SSLv23_server_method failed",0);
  43 +#ifndef DISABLE_SSLV3
  44                  ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_server_method());
  45              }
  46              if ( !ssl_ctx ) {
  47                  debug(F110,"ssl_tn_init","SSLv3_server_method failed",0);
  48 +#endif
  49                  last_ssl_mode = -1;
  50                  return(0);
  51              }
  52 @@ -1688,9 +1696,17 @@ ssl_tn_init(mode) int mode;
  53           * that cannot read poorly written specs :-)
  54           * for TLS be sure to prevent use of SSLv2
  55           */
  56 -        SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2);
  57 +        SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2
  58 +#ifdef DISABLE_SSLV3
  59 +                                    |SSL_OP_NO_SSLv3
  60 +#endif
  61 +            );
  62          SSL_CTX_set_options(tls_ctx,
  63 -                 SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA);
  64 +                 SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
  65 +#ifdef DISABLE_SSLV3
  66 +                 |SSL_OP_NO_SSLv3
  67 +#endif
  68 +            );
  69
  70          SSL_CTX_set_info_callback(ssl_ctx,ssl_client_info_callback);
  71          SSL_CTX_set_info_callback(tls_ctx,ssl_client_info_callback);
  72 @@ -2215,7 +2231,11 @@ ssl_http_init(hostname) char * hostname;
  73       * for TLS be sure to prevent use of SSLv2
  74       */
  75      SSL_CTX_set_options(tls_http_ctx,
  76 -            SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA);
  77 +            SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
  78 +#ifdef DISABLE_SSLV3
  79 +            |SSL_OP_NO_SSLv3
  80 +#endif
  81 +        );
  82
  83      SSL_CTX_set_info_callback(tls_http_ctx,ssl_client_info_callback);
  84
  85 Index: ckermit/ckcftp.c
  86 ===================================================================
  87 --- ckermit.orig/ckcftp.c
  88 +++ ckermit/ckcftp.c
  89 @@ -10210,9 +10210,11 @@ ssl_auth() {
  90      if (ftp_bug_use_ssl_v2) {
  91          /* allow SSL 2.0 or later */
  92          client_method = SSLv23_client_method();
  93 +#ifndef DISABLE_SSLV3
  94      } else if (ftp_bug_use_ssl_v3) {
  95          /* allow SSL 3.0 ONLY - previous default */
  96          client_method = SSLv3_client_method();
  97 +#endif /* DISABLE_SSLV3 */
  98      } else {
  99          /* default - allow TLS 1.0 or later */
 100          client_method = TLSv1_client_method();
 101 @@ -10223,6 +10225,9 @@ ssl_auth() {
 102            return(0);
 103          SSL_CTX_set_options(ssl_ftp_ctx,
 104                              SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
 105 +#ifdef DISABLE_SSLV3
 106 +                            |SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
 107 +#endif
 108                              );
 109      } else {
 110          ssl_ftp_ctx = SSL_CTX_new(client_method);
 111 @@ -10231,6 +10236,9 @@ ssl_auth() {
 112          SSL_CTX_set_options(ssl_ftp_ctx,
 113                              (ftp_bug_use_ssl_v2 ? 0 : SSL_OP_NO_SSLv2)|
 114                              SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
 115 +#ifdef DISABLE_SSLV3
 116 +                            |SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
 117 +#endif
 118                              );
 119      }
 120      SSL_CTX_set_default_passwd_cb(ssl_ftp_ctx,