Loading CHANGES +7 −3 Original line number Diff line number Diff line Loading @@ -4,9 +4,13 @@ Changes between 0.9.8b and 0.9.8c [xx XXX xxxx] *) Disable "ECCdraft" ciphersuites (which were not part of the "ALL" alias). These are now excluded from compilation by default, since OpenSSL 0.9.9[-dev] should be used for TLS with elliptic curves. *) Disable "ECCdraft" ciphersuites more thoroughly. Now special treatment in ssl/ssl_ciph.s makes sure that these ciphersuites cannot be implicitly activated as part of, e.g., the "AES" alias. However, please upgrade to OpenSSL 0.9.9[-dev] for non-experimental use of the ECC ciphersuites to get TLS extension support, which is required for curve and point format negotiation to avoid potential handshake problems. [Bodo Moeller] *) Disable rogue ciphersuites: Loading ssl/s3_lib.c +0 −2 Original line number Diff line number Diff line Loading @@ -1165,7 +1165,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ }, #endif /* OPENSSL_NO_CAMELLIA */ #if 0 /* please use OpenSSL 0.9.9 branch for ECC ciphersuites */ #ifndef OPENSSL_NO_ECDH /* Cipher C001 */ { Loading Loading @@ -1517,7 +1516,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, #endif /* OPENSSL_NO_ECDH */ #endif /* end of list */ Loading ssl/ssl_ciph.c +16 −2 Original line number Diff line number Diff line Loading @@ -634,11 +634,25 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, if (rule == CIPHER_ADD) { if (!curr->active) { int add_this_cipher = 1; if (((cp->algorithms & (SSL_kECDHE|SSL_kECDH|SSL_aECDSA)) != 0)) { /* Make sure "ECCdraft" ciphersuites are activated only if * *explicitly* requested, but not implicitly (such as * as part of the "AES" alias). */ add_this_cipher = (mask & (SSL_kECDHE|SSL_kECDH|SSL_aECDSA)) != 0; } if (add_this_cipher) { ll_append_tail(&head, curr, &tail); curr->active = 1; } } } /* Move the added cipher to this location */ else if (rule == CIPHER_ORD) { Loading Loading
CHANGES +7 −3 Original line number Diff line number Diff line Loading @@ -4,9 +4,13 @@ Changes between 0.9.8b and 0.9.8c [xx XXX xxxx] *) Disable "ECCdraft" ciphersuites (which were not part of the "ALL" alias). These are now excluded from compilation by default, since OpenSSL 0.9.9[-dev] should be used for TLS with elliptic curves. *) Disable "ECCdraft" ciphersuites more thoroughly. Now special treatment in ssl/ssl_ciph.s makes sure that these ciphersuites cannot be implicitly activated as part of, e.g., the "AES" alias. However, please upgrade to OpenSSL 0.9.9[-dev] for non-experimental use of the ECC ciphersuites to get TLS extension support, which is required for curve and point format negotiation to avoid potential handshake problems. [Bodo Moeller] *) Disable rogue ciphersuites: Loading
ssl/s3_lib.c +0 −2 Original line number Diff line number Diff line Loading @@ -1165,7 +1165,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ }, #endif /* OPENSSL_NO_CAMELLIA */ #if 0 /* please use OpenSSL 0.9.9 branch for ECC ciphersuites */ #ifndef OPENSSL_NO_ECDH /* Cipher C001 */ { Loading Loading @@ -1517,7 +1516,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, #endif /* OPENSSL_NO_ECDH */ #endif /* end of list */ Loading
ssl/ssl_ciph.c +16 −2 Original line number Diff line number Diff line Loading @@ -634,11 +634,25 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, if (rule == CIPHER_ADD) { if (!curr->active) { int add_this_cipher = 1; if (((cp->algorithms & (SSL_kECDHE|SSL_kECDH|SSL_aECDSA)) != 0)) { /* Make sure "ECCdraft" ciphersuites are activated only if * *explicitly* requested, but not implicitly (such as * as part of the "AES" alias). */ add_this_cipher = (mask & (SSL_kECDHE|SSL_kECDH|SSL_aECDSA)) != 0; } if (add_this_cipher) { ll_append_tail(&head, curr, &tail); curr->active = 1; } } } /* Move the added cipher to this location */ else if (rule == CIPHER_ORD) { Loading
