debian/patches/060_disable_sslv3.patch

   1 Index: ckermit/ck_ssl.c
   2 ===================================================================
   3 --- ckermit.orig/ck_ssl.c
   4 +++ ckermit/ck_ssl.c
   5 @@ -1604,10 +1604,12 @@ ssl_tn_init(mode) int mode;
   6              /* This can fail because we do not have RSA available */
   7              if ( !ssl_ctx ) {
   8                  debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
   9 +#ifndef DISABLE_SSLV3
  10                  ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
  11              }
  12              if ( !ssl_ctx ) {
  13                  debug(F110,"ssl_tn_init","SSLv3_client_method failed",0);
  14 +#endif
  15                  last_ssl_mode = -1;
  16                  return(0);
  17              }
  18 @@ -1630,10 +1632,14 @@ ssl_tn_init(mode) int mode;
  19                      debug(F110,"ssl_tn_init","SSLv23_client_method OK",0);
  20                  } else {
  21                      debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
  22 +#ifndef DISABLE_SSLV3
  23                      tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
  24 +#endif /* DISABLE_SSLV3 */
  25                      if ( !tls_ctx ) {
  26 +#ifndef DISABLE_SSLV3
  27                          debug(F110,
  28 -                              "ssl_tn_init","TLSv1_client_method failed",0);
  29 +                              "ssl_tn_init","SSLv3_client_method failed",0);
  30 +#endif /* DISABLE_SSLV3 */
  31                          debug(F110,
  32                                "ssl_tn_init","All SSL client methods failed",0);
  33                          last_ssl_mode = -1;
  34 @@ -1651,10 +1657,12 @@ ssl_tn_init(mode) int mode;
  35              /* This can fail because we do not have RSA available */
  36              if ( !ssl_ctx ) {
  37                  debug(F110,"ssl_tn_init","SSLv23_server_method failed",0);
  38 +#ifndef DISABLE_SSLV3
  39                  ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_server_method());
  40              }
  41              if ( !ssl_ctx ) {
  42                  debug(F110,"ssl_tn_init","SSLv3_server_method failed",0);
  43 +#endif
  44                  last_ssl_mode = -1;
  45                  return(0);
  46              }
  47 @@ -1688,9 +1696,17 @@ ssl_tn_init(mode) int mode;
  48           * that cannot read poorly written specs :-)
  49           * for TLS be sure to prevent use of SSLv2
  50           */
  51 -        SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2);
  52 +        SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2
  53 +#ifdef DISABLE_SSLV3
  54 +                                    |SSL_OP_NO_SSLv3
  55 +#endif
  56 +            );
  57          SSL_CTX_set_options(tls_ctx,
  58 -                 SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA);
  59 +                 SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
  60 +#ifdef DISABLE_SSLV3
  61 +                 |SSL_OP_NO_SSLv3
  62 +#endif
  63 +            );
  64
  65          SSL_CTX_set_info_callback(ssl_ctx,ssl_client_info_callback);
  66          SSL_CTX_set_info_callback(tls_ctx,ssl_client_info_callback);
  67 @@ -2215,7 +2231,11 @@ ssl_http_init(hostname) char * hostname;
  68       * for TLS be sure to prevent use of SSLv2
  69       */
  70      SSL_CTX_set_options(tls_http_ctx,
  71 -            SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA);
  72 +            SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
  73 +#ifdef DISABLE_SSLV3
  74 +            |SSL_OP_NO_SSLv3
  75 +#endif
  76 +        );
  77
  78      SSL_CTX_set_info_callback(tls_http_ctx,ssl_client_info_callback);
  79
  80 Index: ckermit/ckcftp.c
  81 ===================================================================
  82 --- ckermit.orig/ckcftp.c
  83 +++ ckermit/ckcftp.c
  84 @@ -10210,9 +10210,11 @@ ssl_auth() {
  85      if (ftp_bug_use_ssl_v2) {
  86          /* allow SSL 2.0 or later */
  87          client_method = SSLv23_client_method();
  88 +#ifndef DISABLE_SSLV3
  89      } else if (ftp_bug_use_ssl_v3) {
  90          /* allow SSL 3.0 ONLY - previous default */
  91          client_method = SSLv3_client_method();
  92 +#endif /* DISABLE_SSLV3 */
  93      } else {
  94          /* default - allow TLS 1.0 or later */
  95          client_method = TLSv1_client_method();
  96 @@ -10223,6 +10225,9 @@ ssl_auth() {
  97            return(0);
  98          SSL_CTX_set_options(ssl_ftp_ctx,
  99                              SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
 100 +#ifdef DISABLE_SSLV3
 101 +                            |SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
 102 +#endif
 103                              );
 104      } else {
 105          ssl_ftp_ctx = SSL_CTX_new(client_method);
 106 @@ -10231,6 +10236,9 @@ ssl_auth() {
 107          SSL_CTX_set_options(ssl_ftp_ctx,
 108                              (ftp_bug_use_ssl_v2 ? 0 : SSL_OP_NO_SSLv2)|
 109                              SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
 110 +#ifdef DISABLE_SSLV3
 111 +                            |SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
 112 +#endif
 113                              );
 114      }
 115      SSL_CTX_set_default_passwd_cb(ssl_ftp_ctx,