Build with OpenSSL without SSLv3 support
Posted: Sat Jan 16, 2016 8:59 am
Hello,
it is currently impossible to build nagios-plugins against an OpenSSL installation without SSLv3 support because plugins/sslutils.c uses SSLv3 functions without checking whether they even exist. Such a check is present for the SSLv2 support, but as SSLv3 is also ancient and has known weaknesses, it is getting more likely to encounter OpenSSL installations that have SSLv3 support disabled.
The FreeBSD port of nagios-plugins is currently using the following patch to allow the build to succeed; I think it can be used verbatim here, too:
it is currently impossible to build nagios-plugins against an OpenSSL installation without SSLv3 support because plugins/sslutils.c uses SSLv3 functions without checking whether they even exist. Such a check is present for the SSLv2 support, but as SSLv3 is also ancient and has known weaknesses, it is getting more likely to encounter OpenSSL installations that have SSLv3 support disabled.
The FreeBSD port of nagios-plugins is currently using the following patch to allow the build to succeed; I think it can be used verbatim here, too:
Code: Select all
--- plugins/sslutils.c.orig 2016-01-14 20:02:06.419867000 +0100
+++ plugins/sslutils.c 2016-01-14 20:01:36.091492000 +0100
@@ -70,8 +70,13 @@
#endif
break;
case 3: /* SSLv3 protocol */
+#if defined(OPENSSL_NO_SSL3)
+ printf(("%s\n", _("CRITICAL - SSL protocol version 3 is not supported by your SSL library.")));
+ return STATE_CRITICAL;
+#else
method = SSLv3_client_method();
ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_TLSv1;
+#endif
break;
default: /* Unsupported */
printf("%s\n", _("CRITICAL - Unsupported SSL protocol version."));