Loading CHANGES +5 −0 Original line number Diff line number Diff line Loading @@ -863,6 +863,11 @@ Changes between 0.9.8l (?) and 0.9.8m (?) [xx XXX xxxx] *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to connect (but not renegotiate) with servers which do not support RI. Until RI is more widely deployed this option is enabled by default. [Steve Henson] *) Add "missing" ssl ctrls to clear options and mode. [Steve Henson] Loading apps/s_client.c +8 −1 Original line number Diff line number Diff line Loading @@ -383,7 +383,7 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { int off=0; unsigned int off=0, clr=0; SSL *con=NULL; int s,k,width,state=0; char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL; Loading Loading @@ -666,6 +666,10 @@ int MAIN(int argc, char **argv) off|=SSL_OP_CIPHER_SERVER_PREFERENCE; else if (strcmp(*argv,"-legacy_renegotiation") == 0) off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; else if (strcmp(*argv,"-legacy_server_connect") == 0) { off|=SSL_OP_LEGACY_SERVER_CONNECT; } else if (strcmp(*argv,"-no_legacy_server_connect") == 0) { clr|=SSL_OP_LEGACY_SERVER_CONNECT; } else if (strcmp(*argv,"-cipher") == 0) { if (--argc < 1) goto bad; Loading Loading @@ -876,6 +880,9 @@ bad: SSL_CTX_set_options(ctx,SSL_OP_ALL|off); else SSL_CTX_set_options(ctx,off); if (clr) SSL_CTX_clear_options(ctx, clr); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. */ Loading ssl/ssl.h +2 −0 Original line number Diff line number Diff line Loading @@ -518,6 +518,8 @@ typedef struct ssl_session_st #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L /* Allow initial connection to servers that don't support RI */ #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L Loading ssl/ssl3.h +2 −0 Original line number Diff line number Diff line Loading @@ -129,7 +129,9 @@ extern "C" { #endif /* Magic Cipher Suite Value. NB: bogus value used for testing */ #ifndef SSL3_CK_MCSV #define SSL3_CK_MCSV 0x03000FEC #endif #define SSL3_CK_RSA_NULL_MD5 0x03000001 #define SSL3_CK_RSA_NULL_SHA 0x03000002 Loading ssl/ssl_lib.c +4 −0 Original line number Diff line number Diff line Loading @@ -1677,6 +1677,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) } #endif #endif /* Default is to connect to non-RI servers. When RI is more widely * deployed might change this. */ ret->options = SSL_OP_LEGACY_SERVER_CONNECT; return(ret); err: Loading Loading
CHANGES +5 −0 Original line number Diff line number Diff line Loading @@ -863,6 +863,11 @@ Changes between 0.9.8l (?) and 0.9.8m (?) [xx XXX xxxx] *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to connect (but not renegotiate) with servers which do not support RI. Until RI is more widely deployed this option is enabled by default. [Steve Henson] *) Add "missing" ssl ctrls to clear options and mode. [Steve Henson] Loading
apps/s_client.c +8 −1 Original line number Diff line number Diff line Loading @@ -383,7 +383,7 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { int off=0; unsigned int off=0, clr=0; SSL *con=NULL; int s,k,width,state=0; char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL; Loading Loading @@ -666,6 +666,10 @@ int MAIN(int argc, char **argv) off|=SSL_OP_CIPHER_SERVER_PREFERENCE; else if (strcmp(*argv,"-legacy_renegotiation") == 0) off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; else if (strcmp(*argv,"-legacy_server_connect") == 0) { off|=SSL_OP_LEGACY_SERVER_CONNECT; } else if (strcmp(*argv,"-no_legacy_server_connect") == 0) { clr|=SSL_OP_LEGACY_SERVER_CONNECT; } else if (strcmp(*argv,"-cipher") == 0) { if (--argc < 1) goto bad; Loading Loading @@ -876,6 +880,9 @@ bad: SSL_CTX_set_options(ctx,SSL_OP_ALL|off); else SSL_CTX_set_options(ctx,off); if (clr) SSL_CTX_clear_options(ctx, clr); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. */ Loading
ssl/ssl.h +2 −0 Original line number Diff line number Diff line Loading @@ -518,6 +518,8 @@ typedef struct ssl_session_st #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L /* Allow initial connection to servers that don't support RI */ #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L Loading
ssl/ssl3.h +2 −0 Original line number Diff line number Diff line Loading @@ -129,7 +129,9 @@ extern "C" { #endif /* Magic Cipher Suite Value. NB: bogus value used for testing */ #ifndef SSL3_CK_MCSV #define SSL3_CK_MCSV 0x03000FEC #endif #define SSL3_CK_RSA_NULL_MD5 0x03000001 #define SSL3_CK_RSA_NULL_SHA 0x03000002 Loading
ssl/ssl_lib.c +4 −0 Original line number Diff line number Diff line Loading @@ -1677,6 +1677,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) } #endif #endif /* Default is to connect to non-RI servers. When RI is more widely * deployed might change this. */ ret->options = SSL_OP_LEGACY_SERVER_CONNECT; return(ret); err: Loading
