[Pkg-ace-devel] Bug#622074: ace: FTBFS: SSL_Context.cpp:244:16: error: '::SSLv2_client_method' has not been declared

Thomas Girard thomas.g.girard at free.fr
Mon May 9 20:13:28 UTC 2011 

forwarded 622074 http://bugzilla.dre.vanderbilt.edu/show_bug.cgi?id=3958
tags 622074 + upstream
thanks

Hello,

because SSLv2 is considered dangerous, it was disabled from Debian
openssl packages[1].

This causes ace 6.0.1 packages to fail to build from source (FTBFS)[2].

We are requesting you opinion/help on how to fix this properly. Quoting
[3], we saw 3 different options:

  a) Keep the SSLv2 entries in the enumerations but make them actually
     use SSLv3.

     It has the advantage if the application uses Debian on both sides,
     there is no need for changes in the application. On the other
     hand, it may lead to very weird to debug situations if you are
     connecting to an SSLv2-only service that is not using Debian on
     the other side ("hey, I'm telling it to use SSLv2 yet it fails",
     yeah, it's because ACE SSLv2 is actually ACE SSLv3).

  b) Completely remove SSLv2

     Meaning: including removal from the enumerations, but keeping the
     blanks for the former SSLv2 values (to avoid renumerating the
     enumerations).

     Advantage: it makes explicit SSLv2 is no longer supported.

     Disadvantage: I need to check what happens with SSLv23 calls, I
     can't remember if the code is easy transformable to SSLv3 calls.

     I think this is the best choice.

  c) Just disable SSLv2

     Meaning: keep the enumerations, keep the methods, but instead of
     making the calls to OpenSSL, fail. IMHO we should completely
     discard this.

So far we implemented b). But the following use case seems to break it:
say we have an application which uses ACE SSLv2:
 - application recompilation will fail; allowing to switch to SSLv3.
 - but if it's not recompiled, then the application will silently
   switch to SSLv3 (because of the default clause in the
   ACE_SSL_Context::set_mode())
   I don't understand this default: clause. I believe
   ACE_SSL_Context::set_mode() should reject unsupported modes.

What do you think? Is the change b), and its side-effect in the
scenario above, an acceptable change? Any other idea?

Thanks,
Regards,

Thomas

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589706
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622074
[3]
http://lists.alioth.debian.org/pipermail/pkg-ace-devel/2011-April/002458.html

More information about the Pkg-ace-devel mailing list