Commit 3142c86d authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files 

Allow ADH to be used but not present in the default cipher
list.

Allow CERTIFICATE to be used in PEM headers for PKCS#7 structures:
some CAs do this.
parent 4b426580

CHANGES

+10 −0
Original line number Diff line number Diff line
@@ -4,6 +4,16 @@ 


 Changes between 0.9.4 and 0.9.5  [xx XXX 2000]



  *) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures.

     Some CAs (e.g. Verisign) distribute certificates in this form.

     [Steve Henson]



  *) Remove the SSL_ALLOW_ADH compile option and set the default cipher

     list to exclude them. This means that no special compilation option

     is needed to use anonymous DH: it just needs to be included in the

     cipher list.

     [Steve Henson]



  *) Change the EVP_MD_CTX_type macro so its meaning consistent with

     EVP_MD_type. The old functionality is available in a new macro called

     EVP_MD_md(). Change code that uses it and update docs.

crypto/pem/pem_lib.c

+4 −0
Original line number Diff line number Diff line
@@ -217,6 +217,10 @@ static int check_pem(const char *nm, const char *name) 
	if(!strcmp(nm,PEM_STRING_X509_OLD) &&

		!strcmp(name,PEM_STRING_X509_TRUSTED)) return 1;



	/* Some CAs use PKCS#7 with CERTIFICATE headers */

	if(!strcmp(nm, PEM_STRING_X509) &&

		!strcmp(name, PEM_STRING_PKCS7)) return 1;



	return 0;

}

doc/apps/ciphers.pod

+3 −2
Original line number Diff line number Diff line
@@ -101,7 +101,8 @@ The following is a list of all permitted cipher strings and their meanings. 
=item B<DEFAULT>



the default cipher list. This is determined at compile time and is normally

B<TBA>. This must be the first cipher string specified.

B<ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH>. This must be the first cipher string

specified.



=item B<ALL>
@@ -143,7 +144,7 @@ included. 


the cipher suites offering no authentication. This is currently the anonymous

DH algorithms. These cipher suites are vulnerable to a "man in the middle"

attack and so there use is normally discouraged.

attack and so their use is normally discouraged.



=item B<kRSA>, B<RSA>

doc/apps/pkcs7.pod

+12 −0
Original line number Diff line number Diff line
@@ -71,6 +71,18 @@ Output all certificates in a file: 


 openssl pkcs7 -in file.pem -print_certs -out certs.pem



=head1 NOTES



The PEM PKCS#7 format uses the header and footer lines:



 -----BEGIN PKCS7-----

 -----END PKCS7-----



For compatability with some CAs it will also accept:



 -----BEGIN CERTIFICATE-----

 -----END CERTIFICATE-----



=head1 RESTRICTIONS



There is no option to print out all the fields of a PKCS#7 file.

ssl/ssl.h

+0 −5
Original line number Diff line number Diff line
@@ -134,12 +134,7 @@ extern "C" { 


/* 'DEFAULT' at the start of the cipher list insert the following string

 * in addition to this being the default cipher string */

#ifndef NO_RSA

#define SSL_DEFAULT_CIPHER_LIST	"ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"

#else

#define SSL_ALLOW_ADH

#define SSL_DEFAULT_CIPHER_LIST	"ALL:ADH+3DES:ADH+RC4:ADH+DES:@STRENGTH"

#endif



/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */

#define SSL_SENT_SHUTDOWN	1