Re: Ubuntu 11.10 SSLv2 error compiling

Hi Sean,

I can't reproduce the problem, locally. The newest copy of OpenSSL that I have is 1.0.0d, which might be the reason why I can't reproduce it. But, tn5250 seems to build without issue.

Given the symptom, I'm thinking there's only one minor change that would be needed in sslstream.c

Currently, it we have this:

strcpy(methstr,"auto");
if (This->config!=NULL &&
tn5250_config_get (This->config, "ssl_method")) {
strncpy(methstr, tn5250_config_get (This->config,
"ssl_method"), 4);
methstr[4] = '\0';
}

if (!strcmp(methstr, "ssl2")) {
meth = SSLv2_client_method();
TN5250_LOG(("SSL Method = SSLv2_client_method()\n"));
} else if (!strcmp(methstr, "ssl3")) {
meth = SSLv3_client_method();
TN5250_LOG(("SSL Method = SSLv3_client_method()\n"));
} else {
meth = SSLv23_client_method();
TN5250_LOG(("SSL Method = SSLv23_client_method()\n"));
}


so, if you have defined ssl_method=ssl2 in your tn5250rc (or command-line) it'll try to use SSLv2 which is considered insecure and deprecated.

But, unless you specify that option in your tn5250rc, TN5250 won't attempt to use SSLv2. So this isn't exactly a security flaw in tn5250... it's just a capability that appears to be removed from some versions of openssl?

So, as near as I can tell, you just need to change the above code to this:

strcpy(methstr,"auto");
if (This->config!=NULL &&
tn5250_config_get (This->config, "ssl_method")) {
strncpy(methstr, tn5250_config_get (This->config,
"ssl_method"), 4);
methstr[4] = '\0';
}

if (!strcmp(methstr, "ssl3")) {
meth = SSLv3_client_method();
TN5250_LOG(("SSL Method = SSLv3_client_method()\n"));
} else {
meth = SSLv23_client_method();
TN5250_LOG(("SSL Method = SSLv23_client_method()\n"));
}

But, again, since I can't easily reproduce the problem, I'm not completely sure that this is all that's needed. Can you confirm?



On 12/12/2011 12:39 PM, Porterfield, Sean wrote:

OpenSSL 1.0.0e 6 Sep 2011

For my purposes, I just commented out the section referencing ssl2 in sslstream.c
--
Sean Porterfield
________________________________________
From: Scott Klement

hi Sean,

What version of OpenSSL are you using? I don't really want to install
Ubuntu just to figure out the solution. :-)

type: openssl version


On 12/12/2011 6:35 AM, Porterfield, Sean wrote:

I recently installed Ubuntu 11.10 and have an error compiling tn5250.

make[2]: Entering directory `/home/sporter/src/tn5250/lp5250d'
gcc -DHAVE_CONFIG_H -I. -I.. -DSYSCONFDIR=\"/usr/local/etc\" -I../lib5250 -I/usr/include -g -O2 -MT scs2ascii.o -MD -MP -MF .deps/scs2ascii.Tpo -c -o scs2ascii.o scs2ascii.c
mv -f .deps/scs2ascii.Tpo .deps/scs2ascii.Po
/bin/bash ../libtool --tag=CC --mode=link gcc -g -O2 -o scs2ascii scs2ascii.o ../lib5250/lib5250.la -lssl -lcrypto
libtool: link: gcc -g -O2 -o .libs/scs2ascii scs2ascii.o ../lib5250/.libs/lib5250.so -lssl -lcrypto
../lib5250/.libs/lib5250.so: undefined reference to `SSLv2_client_method'
collect2: ld returned 1 exit status
make[2]: *** [scs2ascii] Error 1
make[2]: Leaving directory `/home/sporter/src/tn5250/lp5250d'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/sporter/src/tn5250'
make: *** [all] Error 2

I think OpenSSL no longer includes SSLv2 support. I also think I may be able to hack it to get it working, but I have no idea the "right way" to fix this. I suspect something in configure or just removing SSLv2 support completely.
--
Sean Porterfield

This email is confidential, intended only for the named recipient(s) above and may contain information that is privileged. If you have received this message in error or are not the named recipient(s), please notify the sender immediately and delete this email message from your computer as any and all unauthorized distribution or use of this message is strictly prohibited. Thank you.