Disable SSLv2 default build, default negotiation and weak ciphers. (9dfd2be8) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+17 −0

Original line number	Diff line number	Diff line
		@@ -4,6 +4,23 @@

		Changes between 1.0.2f and 1.0.2g [xx XXX xxxx]

		* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
		is by default disabled at build-time. Builds that are not configured with
		"enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
		users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
		will need to explicitly call either of:

		SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
		or
		SSL_clear_options(ssl, SSL_OP_NO_SSLv2);

		as appropriate. Even if either of those is used, or the application
		explicitly uses the version-specific SSLv2_method() or its client and
		server variants, SSLv2 ciphers vulnerable to exhaustive search key
		recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
		ciphers, and SSLv2 56-bit DES are no longer available.
		[Viktor Dukhovni]

		*) Disable SRP fake user seed to address a server memory leak.

		Add a new method SRP_VBASE_get1_by_user that handles the seed properly.

+2 −1

Original line number	Diff line number	Diff line
		@@ -784,6 +784,7 @@ my %disabled = ( # "what" => "comment" [or special keyword "experimental
		"sctp" => "default",
		"shared" => "default",
		"ssl-trace" => "default",
		"ssl2" => "default",
		"store" => "experimental",
		"unit-test" => "default",
		"zlib" => "default",

+1 −1

Original line number	Diff line number	Diff line
		@@ -7,7 +7,7 @@

		Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [under development]

		o
		o Disable SSLv2 default build, default negotiation and weak ciphers.

		Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]

+6 −0

Original line number	Diff line number	Diff line
		@@ -156,6 +156,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
		128,
		},

		# if 0
		/* RC4_128_EXPORT40_WITH_MD5 */
		{
		1,
		@@ -171,6 +172,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
		40,
		128,
		},
		# endif

		/* RC2_128_CBC_WITH_MD5 */
		{
		@@ -188,6 +190,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
		128,
		},

		# if 0
		/* RC2_128_CBC_EXPORT40_WITH_MD5 */
		{
		1,
		@@ -203,6 +206,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
		40,
		128,
		},
		# endif

		# ifndef OPENSSL_NO_IDEA
		/* IDEA_128_CBC_WITH_MD5 */
		@@ -222,6 +226,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
		},
		# endif

		# if 0
		/* DES_64_CBC_WITH_MD5 */
		{
		1,
		@@ -237,6 +242,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
		56,
		56,
		},
		# endif

		/* DES_192_EDE3_CBC_WITH_MD5 */
		{

+9 −1

Original line number	Diff line number	Diff line
		@@ -330,11 +330,19 @@ static int cmd_Protocol(SSL_CONF_CTX cctx, const char value)
		SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
		SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2)
		};
		int ret;
		int sslv2off;

		if (!(cctx->flags & SSL_CONF_FLAG_FILE))
		return -2;
		cctx->tbl = ssl_protocol_list;
		cctx->ntbl = sizeof(ssl_protocol_list) / sizeof(ssl_flag_tbl);
		return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);

		sslv2off = *cctx->poptions & SSL_OP_NO_SSLv2;
		ret = CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
		/* Never turn on SSLv2 through configuration */
		*cctx->poptions \|= sslv2off;
		return ret;
		}

		static int cmd_Options(SSL_CONF_CTX cctx, const char value)