Qpopper and openssl on FreeBSD 11.x

[Matthias Andree]

Am 17.02.2018 um 04:22 schrieb Doug Hardie:
> I have encountered an interesting situation while trying to resolve a PR on qpopper.  I am unable to build qpopper on 11.1 (and probably 11.0) because the openssl function SSLv3_server_method has been removed.  I can see where the SSLv2 functions are disabled in ssl.h, but the SSLv3 functions appear that they should be there.  nm on libssl shows they are there.  Clang's linker can't link to them.  One of the qpopper users' indicates that the problem does not exist on 10.4.  I believe the loss of the SSLv3 methods is a bug and have filed Bug report.

It is a deliberate security measure to remove SSLv3 methods, and not a
bug. The protocol is broken.

> Resolution of that PR will obviously take some time.  The question at hand is what to do in the meantime. I am guessing the packages must be built on 10.x or there would be a report of the problem.  I can easily change the code, via a patch, to use SSLv23_server_method in all cases, or the preferred TLSv1_server_method.  That will eliminate the options to restrict qpopper to SSLv2 or SSLv3.  This does not appear to be an issue for those running 11.x.  However, it is for those using 10.x and earlier.  Given the security issues today, I can't imagine anyone wanting to use those options, but it is possible someone is using them.  Switching to the TLSv1_server_method will remove that capability for them.  

Use SSLv23_server_method(), and use code to block out SSLv2 + SSLv3 on
those systems that still support them - which depends on the
OpenSSL/LibreSSL version, however:
Older OpenSSL and LibreSSL require SSL_OP_NO_SSLv3 and SSL_OP_NO_SSLv2
set through ..._set_options() on the SSL or CTX,
newer OpenSSL (1.1.0+) have ..._set_min_proto_version(..., TLS1_VERSION).