You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
gentoo-overlay/net-misc/tn5250/files/disable-sslv2-and-sslv3.patch

62 lines
2.3 KiB

From 1acfebd966e8804e6573cbe9287b8b6f028a646c Mon Sep 17 00:00:00 2001
From: Michael Orlitzky <michael@orlitzky.com>
Date: Tue, 23 Aug 2016 18:13:47 -0400
Subject: [PATCH 1/1] sslstream.c: ignore the user's choice of ssl_method.
The SSLv2 and SSLv3 protocols are insecure, and people have begun to
operate without them. LibreSSL, for example, does not have them
enabled, and it is possible to build OpenSSL in the same manner.
If SSLv[23] are disabled, the user would not be able to choose "ssl2"
or "ssl3" as his "ssl_method", an option that was undocumented
anywhere. Therefore there is not much lost, and some security to gain,
by removing the option completely. This commit does that, and uses the
automatic protocol choice that is capable of negotiating TLSv1,
TLSv1.1 and TLSv1.2.
Gentoo-Bug: 591940
---
lib5250/sslstream.c | 26 ++++++++++----------------
1 file changed, 10 insertions(+), 16 deletions(-)
diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c
index 7181566..2f91d1a 100644
--- a/lib5250/sslstream.c
+++ b/lib5250/sslstream.c
@@ -362,22 +362,16 @@ int tn5250_ssl_stream_init (Tn5250Stream *This)
/* which SSL method do we use? */
- strcpy(methstr,"auto");
- if (This->config!=NULL && tn5250_config_get (This->config, "ssl_method")) {
- strncpy(methstr, tn5250_config_get (This->config, "ssl_method"), 4);
- methstr[4] = '\0';
- }
-
- if (!strcmp(methstr, "ssl2")) {
- meth = SSLv2_client_method();
- TN5250_LOG(("SSL Method = SSLv2_client_method()\n"));
- } else if (!strcmp(methstr, "ssl3")) {
- meth = SSLv3_client_method();
- TN5250_LOG(("SSL Method = SSLv3_client_method()\n"));
- } else {
- meth = SSLv23_client_method();
- TN5250_LOG(("SSL Method = SSLv23_client_method()\n"));
- }
+ /* Ignore the user's choice of ssl_method (which isn't documented
+ * anyway...) if it was either "ssl2" or "ssl3". Both are insecure,
+ * and this is only safe supported method left.
+ *
+ * This is a Gentoo-specific modification that lets us build
+ * against LibreSSL and newer OpenSSL with its insecure protocols
+ * disabled.
+ */
+ meth = SSLv23_client_method();
+ TN5250_LOG(("SSL Method = SSLv23_client_method()\n"));
/* create a new SSL context */
--
2.7.3