[Pkg-haproxy-maintainers] Bug#822954: haproxy-1.5.8 Disable SSLv3
Anoop Seburuth
anoop at hackers.mu
Fri Apr 29 10:23:53 UTC 2016
Package: haproxy
Version: 1.5.8
As Described the problem: https://www.rfc-editor.org/rfc/rfc7568.txt
According to rfc7568, sslv3 is no longer considered secure. This patch
disables sslv3 if the system's openssl is compiled without it. (Jessie)
Below is a transcript:
--- haproxy-1.5.8.orig/src/ssl_sock.c
+++ haproxy-1.5.8/src/ssl_sock.c
@@ -1506,8 +1506,14 @@ int ssl_sock_prepare_ctx(struct bind_con
ssloptions |= SSL_OP_NO_TLSv1_2;
if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS)
ssloptions |= SSL_OP_NO_TICKET;
- if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3)
+ if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3) {
+#ifndef OPENSSL_NO_SSL3
SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
+#else
+ Alert("SSLv3 support requested but unavailable.\n");
+ cfgerr++;
+#endif
+ }
if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV10)
SSL_CTX_set_ssl_version(ctx, TLSv1_server_method());
#if SSL_OP_NO_TLSv1_1
@@ -1853,8 +1859,14 @@ int ssl_sock_prepare_srv_ctx(struct serv
options |= SSL_OP_NO_TLSv1_2;
if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS)
options |= SSL_OP_NO_TICKET;
- if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3)
+ if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3) {
+#ifndef OPENSSL_NO_SSL3
SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
+#else
+ Alert("SSLv3 support requested but unavailable.");
+ cfgerr++;
+#endif
+ }
if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10)
SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_client_method());
#if SSL_OP_NO_TLSv1_1
I am using Debian GNU/Linux 8 (Jessie) , Kernel 3.16.7-ckt25-1 and GLIBC
2.19-18+deb8u4
More information about the Pkg-haproxy-maintainers
mailing list