× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Hi Sean,

I can't reproduce the problem, locally. The newest copy of OpenSSL that I have is 1.0.0d, which might be the reason why I can't reproduce it. But, tn5250 seems to build without issue.

Given the symptom, I'm thinking there's only one minor change that would be needed in sslstream.c

Currently, it we have this:

strcpy(methstr,"auto");
if (This->config!=NULL &&
tn5250_config_get (This->config, "ssl_method")) {
strncpy(methstr, tn5250_config_get (This->config,
"ssl_method"), 4);
methstr[4] = '\0';
}

if (!strcmp(methstr, "ssl2")) {
meth = SSLv2_client_method();
TN5250_LOG(("SSL Method = SSLv2_client_method()\n"));
} else if (!strcmp(methstr, "ssl3")) {
meth = SSLv3_client_method();
TN5250_LOG(("SSL Method = SSLv3_client_method()\n"));
} else {
meth = SSLv23_client_method();
TN5250_LOG(("SSL Method = SSLv23_client_method()\n"));
}


so, if you have defined ssl_method=ssl2 in your tn5250rc (or command-line) it'll try to use SSLv2 which is considered insecure and deprecated.

But, unless you specify that option in your tn5250rc, TN5250 won't attempt to use SSLv2. So this isn't exactly a security flaw in tn5250... it's just a capability that appears to be removed from some versions of openssl?

So, as near as I can tell, you just need to change the above code to this:

strcpy(methstr,"auto");
if (This->config!=NULL &&
tn5250_config_get (This->config, "ssl_method")) {
strncpy(methstr, tn5250_config_get (This->config,
"ssl_method"), 4);
methstr[4] = '\0';
}

if (!strcmp(methstr, "ssl3")) {
meth = SSLv3_client_method();
TN5250_LOG(("SSL Method = SSLv3_client_method()\n"));
} else {
meth = SSLv23_client_method();
TN5250_LOG(("SSL Method = SSLv23_client_method()\n"));
}

But, again, since I can't easily reproduce the problem, I'm not completely sure that this is all that's needed. Can you confirm?



On 12/12/2011 12:39 PM, Porterfield, Sean wrote:
OpenSSL 1.0.0e 6 Sep 2011

For my purposes, I just commented out the section referencing ssl2 in sslstream.c
--
Sean Porterfield
________________________________________
From: Scott Klement

hi Sean,

What version of OpenSSL are you using? I don't really want to install
Ubuntu just to figure out the solution. :-)

type: openssl version


On 12/12/2011 6:35 AM, Porterfield, Sean wrote:
I recently installed Ubuntu 11.10 and have an error compiling tn5250.

make[2]: Entering directory `/home/sporter/src/tn5250/lp5250d'
gcc -DHAVE_CONFIG_H -I. -I.. -DSYSCONFDIR=\"/usr/local/etc\" -I../lib5250 -I/usr/include -g -O2 -MT scs2ascii.o -MD -MP -MF .deps/scs2ascii.Tpo -c -o scs2ascii.o scs2ascii.c
mv -f .deps/scs2ascii.Tpo .deps/scs2ascii.Po
/bin/bash ../libtool --tag=CC --mode=link gcc -g -O2 -o scs2ascii scs2ascii.o ../lib5250/lib5250.la -lssl -lcrypto
libtool: link: gcc -g -O2 -o .libs/scs2ascii scs2ascii.o ../lib5250/.libs/lib5250.so -lssl -lcrypto
../lib5250/.libs/lib5250.so: undefined reference to `SSLv2_client_method'
collect2: ld returned 1 exit status
make[2]: *** [scs2ascii] Error 1
make[2]: Leaving directory `/home/sporter/src/tn5250/lp5250d'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/sporter/src/tn5250'
make: *** [all] Error 2

I think OpenSSL no longer includes SSLv2 support. I also think I may be able to hack it to get it working, but I have no idea the "right way" to fix this. I suspect something in configure or just removing SSLv2 support completely.
--
Sean Porterfield

This email is confidential, intended only for the named recipient(s) above and may contain information that is privileged. If you have received this message in error or are not the named recipient(s), please notify the sender immediately and delete this email message from your computer as any and all unauthorized distribution or use of this message is strictly prohibited. Thank you.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.