[Bug 1934044] [NEW] openssl removed ssl2/3 and broke cURL because curl uses openssl instead of libssl

Bill Yikes 1934044 at bugs.launchpad.net
Wed Jun 30 04:03:32 UTC 2021 

Public bug reported:

cURL supports a -ssl3 option (and rightly so), but openssl removed it
prematurely (see
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1934040).  The
fallout:

torsocks curl --insecure --ssl-allow-beast -ssl3 -vvI https://xhfheq5i37waj6qb.onion:110 2>&1 
*   Trying 127.42.42.0:110...
* Connected to xhfheq5i37waj6qb.onion (127.42.42.0) port 110 (#0)
* OpenSSL was built without SSLv3 support
* Closing connection 0

Is it possible that curl's check for ssl3 is flawed?  I say that because
both curl and fetchmail are dependant on the same libssl pkg, and yet
fetchmail can still do ssl3 but curl can't.  Neither curl nor fetchmail
names "openssl" as a dependency.  So curl perhaps should not look to the
openssl package to detect ssl3 capability.

SSL3 is still useful for onion sites, so curl should do the necessary to
retain that capability.

** Affects: curl (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/1934044

Title:
  openssl removed ssl2/3 and broke cURL because curl uses openssl
  instead of libssl

Status in curl package in Ubuntu:
  New

Bug description:
  cURL supports a -ssl3 option (and rightly so), but openssl removed it
  prematurely (see
  https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1934040).  The
  fallout:

  torsocks curl --insecure --ssl-allow-beast -ssl3 -vvI https://xhfheq5i37waj6qb.onion:110 2>&1 
  *   Trying 127.42.42.0:110...
  * Connected to xhfheq5i37waj6qb.onion (127.42.42.0) port 110 (#0)
  * OpenSSL was built without SSLv3 support
  * Closing connection 0

  Is it possible that curl's check for ssl3 is flawed?  I say that
  because both curl and fetchmail are dependant on the same libssl pkg,
  and yet fetchmail can still do ssl3 but curl can't.  Neither curl nor
  fetchmail names "openssl" as a dependency.  So curl perhaps should not
  look to the openssl package to detect ssl3 capability.

  SSL3 is still useful for onion sites, so curl should do the necessary
  to retain that capability.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1934044/+subscriptions

More information about the foundations-bugs mailing list