Loading CHANGES +6 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,12 @@ Changes between 0.9.8k and 1.0 [xx XXX xxxx] *) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello: this allows the use of compression and extensions. Change default cipher string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2 by default unless an application cipher string requests it. [Steve Henson] *) Alter match criteria in PKCS12_parse(). It used to try to use local key ids to find matching certificates and keys but some PKCS#12 files don't follow the (somewhat unwritten) rules and this strategy fails. Loading crypto/x509v3/v3_alt.c +1 −0 Original line number Diff line number Diff line Loading @@ -366,6 +366,7 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p) if (move_p) { X509_NAME_delete_entry(nm, i); X509_NAME_ENTRY_free(ne); i--; } if(!email || !(gen = GENERAL_NAME_new())) { Loading ssl/s23_clnt.c +17 −0 Original line number Diff line number Diff line Loading @@ -250,6 +250,20 @@ end: return(ret); } static int ssl23_no_ssl2_ciphers(SSL *s) { SSL_CIPHER *cipher; STACK_OF(SSL_CIPHER) *ciphers; int i; ciphers = SSL_get_ciphers(s); for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { cipher = sk_SSL_CIPHER_value(ciphers, i); if (cipher->algorithm_ssl == SSL_SSLV2) return 0; } return 1; } static int ssl23_client_hello(SSL *s) { Loading @@ -264,6 +278,9 @@ static int ssl23_client_hello(SSL *s) ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1; if (ssl2_compat && ssl23_no_ssl2_ciphers(s)) ssl2_compat = 0; if (!(s->options & SSL_OP_NO_TLSv1)) { version = TLS1_VERSION; Loading ssl/ssl.h +2 −2 Original line number Diff line number Diff line Loading @@ -324,8 +324,8 @@ extern "C" { /* The following cipher list is used by default. * It also is substituted when an application-defined cipher list string * starts with 'DEFAULT'. */ #define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL" /* As of OpenSSL 0.9.9, ssl_create_cipher_list() in ssl/ssl_ciph.c always #define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSlv2" /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always * starts with a reasonable order, and all we have to do for DEFAULT is * throwing out anonymous and unencrypted ciphersuites! * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable Loading Loading
CHANGES +6 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,12 @@ Changes between 0.9.8k and 1.0 [xx XXX xxxx] *) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello: this allows the use of compression and extensions. Change default cipher string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2 by default unless an application cipher string requests it. [Steve Henson] *) Alter match criteria in PKCS12_parse(). It used to try to use local key ids to find matching certificates and keys but some PKCS#12 files don't follow the (somewhat unwritten) rules and this strategy fails. Loading
crypto/x509v3/v3_alt.c +1 −0 Original line number Diff line number Diff line Loading @@ -366,6 +366,7 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p) if (move_p) { X509_NAME_delete_entry(nm, i); X509_NAME_ENTRY_free(ne); i--; } if(!email || !(gen = GENERAL_NAME_new())) { Loading
ssl/s23_clnt.c +17 −0 Original line number Diff line number Diff line Loading @@ -250,6 +250,20 @@ end: return(ret); } static int ssl23_no_ssl2_ciphers(SSL *s) { SSL_CIPHER *cipher; STACK_OF(SSL_CIPHER) *ciphers; int i; ciphers = SSL_get_ciphers(s); for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { cipher = sk_SSL_CIPHER_value(ciphers, i); if (cipher->algorithm_ssl == SSL_SSLV2) return 0; } return 1; } static int ssl23_client_hello(SSL *s) { Loading @@ -264,6 +278,9 @@ static int ssl23_client_hello(SSL *s) ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1; if (ssl2_compat && ssl23_no_ssl2_ciphers(s)) ssl2_compat = 0; if (!(s->options & SSL_OP_NO_TLSv1)) { version = TLS1_VERSION; Loading
ssl/ssl.h +2 −2 Original line number Diff line number Diff line Loading @@ -324,8 +324,8 @@ extern "C" { /* The following cipher list is used by default. * It also is substituted when an application-defined cipher list string * starts with 'DEFAULT'. */ #define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL" /* As of OpenSSL 0.9.9, ssl_create_cipher_list() in ssl/ssl_ciph.c always #define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSlv2" /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always * starts with a reasonable order, and all we have to do for DEFAULT is * throwing out anonymous and unencrypted ciphersuites! * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable Loading
