/* This can fail because we do not have RSA available */
if ( !ssl_ctx ) {
debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
+#ifndef DISABLE_SSLV3
ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
}
if ( !ssl_ctx ) {
debug(F110,"ssl_tn_init","SSLv3_client_method failed",0);
+#endif
last_ssl_mode = -1;
return(0);
}
debug(F110,"ssl_tn_init","SSLv23_client_method OK",0);
} else {
debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
+#ifndef DISABLE_SSLV3
tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
+#endif /* DISABLE_SSLV3 */
if ( !tls_ctx ) {
+#ifndef DISABLE_SSLV3
debug(F110,
- "ssl_tn_init","TLSv1_client_method failed",0);
+ "ssl_tn_init","SSLv3_client_method failed",0);
+#endif /* DISABLE_SSLV3 */
debug(F110,
"ssl_tn_init","All SSL client methods failed",0);
last_ssl_mode = -1;
/* This can fail because we do not have RSA available */
if ( !ssl_ctx ) {
debug(F110,"ssl_tn_init","SSLv23_server_method failed",0);
+#ifndef DISABLE_SSLV3
ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_server_method());
}
if ( !ssl_ctx ) {
debug(F110,"ssl_tn_init","SSLv3_server_method failed",0);
+#endif
last_ssl_mode = -1;
return(0);
}
* that cannot read poorly written specs :-)
* for TLS be sure to prevent use of SSLv2
*/
- SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2);
+ SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2
+#ifdef DISABLE_SSLV3
+ |SSL_OP_NO_SSLv3
+#endif
+ );
SSL_CTX_set_options(tls_ctx,
- SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA);
+ SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
+#ifdef DISABLE_SSLV3
+ |SSL_OP_NO_SSLv3
+#endif
+ );
SSL_CTX_set_info_callback(ssl_ctx,ssl_client_info_callback);
SSL_CTX_set_info_callback(tls_ctx,ssl_client_info_callback);
* for TLS be sure to prevent use of SSLv2
*/
SSL_CTX_set_options(tls_http_ctx,
- SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA);
+ SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
+#ifdef DISABLE_SSLV3
+ |SSL_OP_NO_SSLv3
+#endif
+ );
SSL_CTX_set_info_callback(tls_http_ctx,ssl_client_info_callback);
if (ftp_bug_use_ssl_v2) {
/* allow SSL 2.0 or later */
client_method = SSLv23_client_method();
+#ifndef DISABLE_SSLV3
} else if (ftp_bug_use_ssl_v3) {
/* allow SSL 3.0 ONLY - previous default */
client_method = SSLv3_client_method();
+#endif /* DISABLE_SSLV3 */
} else {
/* default - allow TLS 1.0 or later */
client_method = TLSv1_client_method();
return(0);
SSL_CTX_set_options(ssl_ftp_ctx,
SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
+#ifdef DISABLE_SSLV3
+ |SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
+#endif
);
} else {
ssl_ftp_ctx = SSL_CTX_new(client_method);
SSL_CTX_set_options(ssl_ftp_ctx,
(ftp_bug_use_ssl_v2 ? 0 : SSL_OP_NO_SSLv2)|
SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
+#ifdef DISABLE_SSLV3
+ |SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
+#endif
);
}
SSL_CTX_set_default_passwd_cb(ssl_ftp_ctx,
--- /dev/null
+Index: ckermit/ck_ssl.c
+===================================================================
+--- ckermit.orig/ck_ssl.c
++++ ckermit/ck_ssl.c
+@@ -1604,10 +1604,12 @@ ssl_tn_init(mode) int mode;
+ /* This can fail because we do not have RSA available */
+ if ( !ssl_ctx ) {
+ debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
++#ifndef DISABLE_SSLV3
+ ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
+ }
+ if ( !ssl_ctx ) {
+ debug(F110,"ssl_tn_init","SSLv3_client_method failed",0);
++#endif
+ last_ssl_mode = -1;
+ return(0);
+ }
+@@ -1630,10 +1632,14 @@ ssl_tn_init(mode) int mode;
+ debug(F110,"ssl_tn_init","SSLv23_client_method OK",0);
+ } else {
+ debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
++#ifndef DISABLE_SSLV3
+ tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
++#endif /* DISABLE_SSLV3 */
+ if ( !tls_ctx ) {
++#ifndef DISABLE_SSLV3
+ debug(F110,
+- "ssl_tn_init","TLSv1_client_method failed",0);
++ "ssl_tn_init","SSLv3_client_method failed",0);
++#endif /* DISABLE_SSLV3 */
+ debug(F110,
+ "ssl_tn_init","All SSL client methods failed",0);
+ last_ssl_mode = -1;
+@@ -1651,10 +1657,12 @@ ssl_tn_init(mode) int mode;
+ /* This can fail because we do not have RSA available */
+ if ( !ssl_ctx ) {
+ debug(F110,"ssl_tn_init","SSLv23_server_method failed",0);
++#ifndef DISABLE_SSLV3
+ ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_server_method());
+ }
+ if ( !ssl_ctx ) {
+ debug(F110,"ssl_tn_init","SSLv3_server_method failed",0);
++#endif
+ last_ssl_mode = -1;
+ return(0);
+ }
+@@ -1688,9 +1696,17 @@ ssl_tn_init(mode) int mode;
+ * that cannot read poorly written specs :-)
+ * for TLS be sure to prevent use of SSLv2
+ */
+- SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2);
++ SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2
++#ifdef DISABLE_SSLV3
++ |SSL_OP_NO_SSLv3
++#endif
++ );
+ SSL_CTX_set_options(tls_ctx,
+- SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA);
++ SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
++#ifdef DISABLE_SSLV3
++ |SSL_OP_NO_SSLv3
++#endif
++ );
+
+ SSL_CTX_set_info_callback(ssl_ctx,ssl_client_info_callback);
+ SSL_CTX_set_info_callback(tls_ctx,ssl_client_info_callback);
+@@ -2215,7 +2231,11 @@ ssl_http_init(hostname) char * hostname;
+ * for TLS be sure to prevent use of SSLv2
+ */
+ SSL_CTX_set_options(tls_http_ctx,
+- SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA);
++ SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
++#ifdef DISABLE_SSLV3
++ |SSL_OP_NO_SSLv3
++#endif
++ );
+
+ SSL_CTX_set_info_callback(tls_http_ctx,ssl_client_info_callback);
+
+Index: ckermit/ckcftp.c
+===================================================================
+--- ckermit.orig/ckcftp.c
++++ ckermit/ckcftp.c
+@@ -10210,9 +10210,11 @@ ssl_auth() {
+ if (ftp_bug_use_ssl_v2) {
+ /* allow SSL 2.0 or later */
+ client_method = SSLv23_client_method();
++#ifndef DISABLE_SSLV3
+ } else if (ftp_bug_use_ssl_v3) {
+ /* allow SSL 3.0 ONLY - previous default */
+ client_method = SSLv3_client_method();
++#endif /* DISABLE_SSLV3 */
+ } else {
+ /* default - allow TLS 1.0 or later */
+ client_method = TLSv1_client_method();
+@@ -10223,6 +10225,9 @@ ssl_auth() {
+ return(0);
+ SSL_CTX_set_options(ssl_ftp_ctx,
+ SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
++#ifdef DISABLE_SSLV3
++ |SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
++#endif
+ );
+ } else {
+ ssl_ftp_ctx = SSL_CTX_new(client_method);
+@@ -10231,6 +10236,9 @@ ssl_auth() {
+ SSL_CTX_set_options(ssl_ftp_ctx,
+ (ftp_bug_use_ssl_v2 ? 0 : SSL_OP_NO_SSLv2)|
+ SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
++#ifdef DISABLE_SSLV3
++ |SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
++#endif
+ );
+ }
+ SSL_CTX_set_default_passwd_cb(ssl_ftp_ctx,