From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Tue, 19 Apr 2016 21:32:07 +0200
Subject: [PATCH] consider OPENSSL_NO_SSL3

and avoid using SSLv3 code when not provided by openssl.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
 ck_ssl.c | 8 ++++++++
 ckcftp.c | 5 +++++
 2 files changed, 13 insertions(+)

diff --git a/ck_ssl.c b/ck_ssl.c
index 428fb7ca6f98..3640d8f07fa8 100644
--- a/ck_ssl.c
+++ b/ck_ssl.c
@@ -1579,7 +1579,9 @@ ssl_tn_init(mode) int mode;
             /* This can fail because we do not have RSA available */
             if ( !ssl_ctx ) {
                 debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
+#ifndef OPENSSL_NO_SSL3
                 ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
+#endif
             }
             if ( !ssl_ctx ) {
                 debug(F110,"ssl_tn_init","SSLv3_client_method failed",0);
@@ -1593,7 +1595,9 @@ ssl_tn_init(mode) int mode;
             /* This can fail because we do not have RSA available */
             if ( !tls_ctx ) {
                 debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
+#ifndef OPENSSL_NO_SSL3
                 tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
+#endif
             }
 #endif /* COMMENT */
             if ( !tls_ctx ) {
@@ -1611,7 +1615,9 @@ ssl_tn_init(mode) int mode;
             /* This can fail because we do not have RSA available */
             if ( !ssl_ctx ) {
                 debug(F110,"ssl_tn_init","SSLv23_server_method failed",0);
+#ifndef OPENSSL_NO_SSL3
                 ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_server_method());
+#endif
             }
             if ( !ssl_ctx ) {
                 debug(F110,"ssl_tn_init","SSLv3_server_method failed",0);
@@ -2161,7 +2167,9 @@ ssl_http_init(hostname) char * hostname;
         /* This can fail because we do not have RSA available */
         if ( !tls_http_ctx ) {
             debug(F110,"ssl_http_init","SSLv23_client_method failed",0);
+#ifndef OPENSSL_NO_SSL3
             tls_http_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
+#endif
         }
 #endif /* COMMENT */
         if ( !tls_http_ctx ) {
diff --git a/ckcftp.c b/ckcftp.c
index 66c7940dedc2..d718323faac4 100644
--- a/ckcftp.c
+++ b/ckcftp.c
@@ -10195,6 +10195,7 @@ ssl_auth() {
 #ifndef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
 #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0L
 #endif
+#ifndef OPENSSL_NO_SSL3
     if (auth_type && !strcmp(auth_type,"TLS")) {
         ssl_ftp_ctx=SSL_CTX_new(SSLv3_client_method());
         if (!ssl_ftp_ctx)
@@ -10205,6 +10206,10 @@ ssl_auth() {
     } else {
         ssl_ftp_ctx = SSL_CTX_new(ftp_bug_use_ssl_v2 ? SSLv23_client_method() : 
                                   SSLv3_client_method());
+#else
+    {
+        ssl_ftp_ctx = SSL_CTX_new(SSLv23_client_method());
+#endif
         if (!ssl_ftp_ctx)
           return(0);
         SSL_CTX_set_options(ssl_ftp_ctx,
-- 
2.8.0.rc3