Loading CHANGES +8 −0 Original line number Diff line number Diff line Loading @@ -12,6 +12,14 @@ *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 +) applies to 0.9.7 only +) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended bug workarounds. Rollback attack detection is a security feature. The problem will only arise on OpenSSL servers, when TLSv1 is not available (sslv3_server_method() or SSL_OP_NO_TLSv1). Software authors not wanting to support TLSv1 will have special reasons for their choice and can explicitly enable this option. [Bodo Moeller, Lutz Jaenicke] +) Rationalise EVP so it can be extended: don't include a union of cipher/digest structures, add init/cleanup functions. This also reduces the number of header dependencies. Loading doc/ssl/SSL_CTX_set_options.pod +15 −13 Original line number Diff line number Diff line Loading @@ -100,18 +100,6 @@ doing a re-connect, always takes the first cipher in the cipher list. ... =item SSL_OP_TLS_ROLLBACK_BUG Disable version rollback attack detection. During the client key exchange, the client must send the same information about acceptable SSL/TLS protocol levels as during the first hello. Some clients violate this rule by adapting to the server's answer. (Example: the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server only understands up to SSLv3. In this case the client must still use the same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect to the server's answer and violate the version rollback protection.) =item SSL_OP_ALL All of the above bug workarounds. Loading @@ -125,6 +113,18 @@ The following B<modifying> options are available: =over 4 =item SSL_OP_TLS_ROLLBACK_BUG Disable version rollback attack detection. During the client key exchange, the client must send the same information about acceptable SSL/TLS protocol levels as during the first hello. Some clients violate this rule by adapting to the server's answer. (Example: the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server only understands up to SSLv3. In this case the client must still use the same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect to the server's answer and violate the version rollback protection.) =item SSL_OP_SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH parameters Loading Loading @@ -207,6 +207,8 @@ L<dhparam(1)|dhparam(1)> SSL_OP_CIPHER_SERVER_PREFERENCE has been added in OpenSSL 0.9.7. SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6. SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6 and was automatically enabled with SSL_OP_ALL. As of 0.9.7 it is no longer included in SSL_OP_ALL and must be explicitely set. =cut ssl/ssl.h +5 −1 Original line number Diff line number Diff line Loading @@ -332,7 +332,6 @@ typedef struct ssl_session_st #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L #define SSL_OP_TLS_D5_BUG 0x00000100L #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L #define SSL_OP_TLS_ROLLBACK_BUG 0x00000400L /* If set, always create a new key when using tmp_dh parameters */ #define SSL_OP_SINGLE_DH_USE 0x00100000L Loading @@ -341,6 +340,11 @@ typedef struct ssl_session_st /* Set on servers to choose the cipher according to the server's * preferences */ #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L /* If set, a server will allow a client to issue a SSLv3.0 version number * as latest version supported in the premaster secret, even when TLSv1.0 * (version 3.1) was announced in the client hello. Normally this is * forbidden to prevent version rollback attacks. */ #define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L /* The next flag deliberately changes the ciphertest, this is a check * for the PKCS#1 attack */ Loading Loading
CHANGES +8 −0 Original line number Diff line number Diff line Loading @@ -12,6 +12,14 @@ *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 +) applies to 0.9.7 only +) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended bug workarounds. Rollback attack detection is a security feature. The problem will only arise on OpenSSL servers, when TLSv1 is not available (sslv3_server_method() or SSL_OP_NO_TLSv1). Software authors not wanting to support TLSv1 will have special reasons for their choice and can explicitly enable this option. [Bodo Moeller, Lutz Jaenicke] +) Rationalise EVP so it can be extended: don't include a union of cipher/digest structures, add init/cleanup functions. This also reduces the number of header dependencies. Loading
doc/ssl/SSL_CTX_set_options.pod +15 −13 Original line number Diff line number Diff line Loading @@ -100,18 +100,6 @@ doing a re-connect, always takes the first cipher in the cipher list. ... =item SSL_OP_TLS_ROLLBACK_BUG Disable version rollback attack detection. During the client key exchange, the client must send the same information about acceptable SSL/TLS protocol levels as during the first hello. Some clients violate this rule by adapting to the server's answer. (Example: the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server only understands up to SSLv3. In this case the client must still use the same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect to the server's answer and violate the version rollback protection.) =item SSL_OP_ALL All of the above bug workarounds. Loading @@ -125,6 +113,18 @@ The following B<modifying> options are available: =over 4 =item SSL_OP_TLS_ROLLBACK_BUG Disable version rollback attack detection. During the client key exchange, the client must send the same information about acceptable SSL/TLS protocol levels as during the first hello. Some clients violate this rule by adapting to the server's answer. (Example: the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server only understands up to SSLv3. In this case the client must still use the same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect to the server's answer and violate the version rollback protection.) =item SSL_OP_SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH parameters Loading Loading @@ -207,6 +207,8 @@ L<dhparam(1)|dhparam(1)> SSL_OP_CIPHER_SERVER_PREFERENCE has been added in OpenSSL 0.9.7. SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6. SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6 and was automatically enabled with SSL_OP_ALL. As of 0.9.7 it is no longer included in SSL_OP_ALL and must be explicitely set. =cut
ssl/ssl.h +5 −1 Original line number Diff line number Diff line Loading @@ -332,7 +332,6 @@ typedef struct ssl_session_st #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L #define SSL_OP_TLS_D5_BUG 0x00000100L #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L #define SSL_OP_TLS_ROLLBACK_BUG 0x00000400L /* If set, always create a new key when using tmp_dh parameters */ #define SSL_OP_SINGLE_DH_USE 0x00100000L Loading @@ -341,6 +340,11 @@ typedef struct ssl_session_st /* Set on servers to choose the cipher according to the server's * preferences */ #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L /* If set, a server will allow a client to issue a SSLv3.0 version number * as latest version supported in the premaster secret, even when TLSv1.0 * (version 3.1) was announced in the client hello. Normally this is * forbidden to prevent version rollback attacks. */ #define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L /* The next flag deliberately changes the ciphertest, this is a check * for the PKCS#1 attack */ Loading
