Ubuntu
curl package

openssl removed ssl2/3 and broke cURL because curl uses openssl instead of libssl

Bug #1934044 reported by Bill Yikes
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
curl (Ubuntu)
New
Undecided
Unassigned

Bug Description

cURL supports a -ssl3 option (and rightly so), but openssl removed it prematurely (see https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1934040). The fallout:

torsocks curl --insecure --ssl-allow-beast -ssl3 -vvI https://xhfheq5i37waj6qb.onion:110 2>&1
* Trying 127.42.42.0:110...
* Connected to xhfheq5i37waj6qb.onion (127.42.42.0) port 110 (#0)
* OpenSSL was built without SSLv3 support
* Closing connection 0

Is it possible that curl's check for ssl3 is flawed? I say that because both curl and fetchmail are dependant on the same libssl pkg, and yet fetchmail can still do ssl3 but curl can't. Neither curl nor fetchmail names "openssl" as a dependency. So curl perhaps should not look to the openssl package to detect ssl3 capability.

SSL3 is still useful for onion sites, so curl should do the necessary to retain that capability.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.