Commit aa17ab7e authored by Bodo Möller's avatar Bodo Möller
Browse files

Put ECCdraft ciphersuites back into default build (but disabled

unless specifically requested)
parent 35908bd0
Loading
Loading
Loading
Loading
+7 −3
Original line number Diff line number Diff line
@@ -4,9 +4,13 @@

 Changes between 0.9.8b and 0.9.8c  [xx XXX xxxx]

  *) Disable "ECCdraft" ciphersuites (which were not part of the "ALL"
     alias).  These are now excluded from compilation by default, since
     OpenSSL 0.9.9[-dev] should be used for TLS with elliptic curves.
  *) Disable "ECCdraft" ciphersuites more thoroughly.  Now special
     treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
     cannot be implicitly activated as part of, e.g., the "AES" alias.
     However, please upgrade to OpenSSL 0.9.9[-dev] for
     non-experimental use of the ECC ciphersuites to get TLS extension
     support, which is required for curve and point format negotiation
     to avoid potential handshake problems.
     [Bodo Moeller]

  *) Disable rogue ciphersuites:
+0 −2
Original line number Diff line number Diff line
@@ -1165,7 +1165,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
	},
#endif /* OPENSSL_NO_CAMELLIA */

#if 0 /* please use OpenSSL 0.9.9 branch for ECC ciphersuites */
#ifndef OPENSSL_NO_ECDH
	/* Cipher C001 */
	    {
@@ -1517,7 +1516,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            SSL_ALL_STRENGTHS,
            },
#endif	/* OPENSSL_NO_ECDH */
#endif


/* end of list */
+16 −2
Original line number Diff line number Diff line
@@ -634,11 +634,25 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
		if (rule == CIPHER_ADD)
			{
			if (!curr->active)
				{
				int add_this_cipher = 1;

				if (((cp->algorithms & (SSL_kECDHE|SSL_kECDH|SSL_aECDSA)) != 0))
					{
					/* Make sure "ECCdraft" ciphersuites are activated only if
					 * *explicitly* requested, but not implicitly (such as
					 * as part of the "AES" alias). */

					add_this_cipher = (mask & (SSL_kECDHE|SSL_kECDH|SSL_aECDSA)) != 0;
					}
				
				if (add_this_cipher)
					{
					ll_append_tail(&head, curr, &tail);
					curr->active = 1;
					}
				}
			}
		/* Move the added cipher to this location */
		else if (rule == CIPHER_ORD)
			{