[Pkg-haproxy-maintainers] Bug#822954: haproxy-1.5.8 Disable SSLv3

[Anoop Seburuth]

Package: haproxy
Version: 1.5.8


As Described the problem: https://www.rfc-editor.org/rfc/rfc7568.txt
According to rfc7568, sslv3 is no longer considered secure. This patch
disables sslv3 if the system's openssl is compiled without it. (Jessie)

Below is a transcript:

--- haproxy-1.5.8.orig/src/ssl_sock.c
+++ haproxy-1.5.8/src/ssl_sock.c
@@ -1506,8 +1506,14 @@ int ssl_sock_prepare_ctx(struct bind_con
 		ssloptions |= SSL_OP_NO_TLSv1_2;
 	if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS)
 		ssloptions |= SSL_OP_NO_TICKET;
-	if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3)
+	if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3) {
+#ifndef OPENSSL_NO_SSL3
 		SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
+#else
+		Alert("SSLv3 support requested but unavailable.\n");
+		cfgerr++;
+#endif
+	}
 	if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV10)
 		SSL_CTX_set_ssl_version(ctx, TLSv1_server_method());
 #if SSL_OP_NO_TLSv1_1
@@ -1853,8 +1859,14 @@ int ssl_sock_prepare_srv_ctx(struct serv
 		options |= SSL_OP_NO_TLSv1_2;
 	if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS)
 		options |= SSL_OP_NO_TICKET;
-	if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3)
+	if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3) {
+#ifndef OPENSSL_NO_SSL3
 		SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
+#else
+		Alert("SSLv3 support requested but unavailable.");
+		cfgerr++;
+#endif
+	}
 	if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10)
 		SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_client_method());
 #if SSL_OP_NO_TLSv1_1


I am using Debian GNU/Linux 8 (Jessie) , Kernel 3.16.7-ckt25-1 and GLIBC
2.19-18+deb8u4