Commit 3c33c6f6 authored by Matt Caswell's avatar Matt Caswell
Browse files

Remove support for SSL_OP_NETSCAPE_CA_DN_BUG. 



This is an ancient bug workaround for Netscape clients. The documentation
talks about versions 3.x and 4.x beta.

Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
parent ae632974

doc/ssl/SSL_CTX_set_options.pod

+0 −5
Original line number Diff line number Diff line
@@ -169,11 +169,6 @@ will send its list of preferences to the client and the client chooses. 


...



=item SSL_OP_NETSCAPE_CA_DN_BUG



If we accept a netscape connection, demand a client cert, have a

non-self-signed CA which does not have its CA in netscape, and the

browser has a cert, it will crash/hang.  Works for 3.x and 4.xbeta 



=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG

ssl/s3_clnt.c

+3 −15
Original line number Diff line number Diff line
@@ -2109,8 +2109,6 @@ int ssl3_get_certificate_request(SSL *s) 
    for (nc = 0; nc < llen;) {

        n2s(p, l);

        if ((l + nc + 2) > llen) {

            if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))

                goto cont;      /* netscape bugs */

            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

            SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);

            goto err;
@@ -2119,15 +2117,10 @@ int ssl3_get_certificate_request(SSL *s) 
        q = p;



        if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) {

            /* If netscape tolerance is on, ignore errors */

            if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)

                goto cont;

            else {

            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

            SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);

            goto err;

        }

        }



        if (q != (p + l)) {

            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
@@ -2144,11 +2137,6 @@ int ssl3_get_certificate_request(SSL *s) 
        nc += l + 2;

    }



    if (0) {

 cont:

        ERR_clear_error();

    }



    /* we should setup a certificate to return.... */

    s->s3->tmp.cert_req = 1;

    s->s3->tmp.ctype_num = ctype_num;

ssl/s3_srvr.c

+4 −14
Original line number Diff line number Diff line
@@ -2056,20 +2056,10 @@ int ssl3_send_certificate_request(SSL *s) 
                    goto err;

                }

                p = ssl_handshake_start(s) + n;

                if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) {

                s2n(j, p);

                i2d_X509_NAME(name, &p);

                n += 2 + j;

                nl += 2 + j;

                } else {

                    d = p;

                    i2d_X509_NAME(name, &p);

                    j -= 2;

                    s2n(j, d);

                    j += 2;

                    n += j;

                    nl += j;

                }

            }

        }

        /* else no CA names */

ssl/ssl.h

+2 −1
Original line number Diff line number Diff line
@@ -478,7 +478,8 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type, 
# define SSL_OP_PKCS1_CHECK_1                            0x0

# define SSL_OP_PKCS1_CHECK_2                            0x0



# define SSL_OP_NETSCAPE_CA_DN_BUG                       0x20000000L

/* Removed as of OpenSSL 1.1.0 */

# define SSL_OP_NETSCAPE_CA_DN_BUG                       0x0

# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG          0x40000000L

/*

 * Make server add server-hello extension from early version of cryptopro