Loading CHANGES +7 −0 Original line number Diff line number Diff line Loading @@ -267,6 +267,13 @@ Changes between 1.0.0f and 1.0.1 [xx XXX xxxx] *) Some servers which support TLS 1.0 can choke if we initially indicate support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA encrypted premaster secret. As a workaround use the maximum pemitted client version in client hello, this should keep such servers happy and still work with previous versions of OpenSSL. [Steve Henson] *) Add support for TLS/DTLS heartbeats. [Robin Seggelmann <seggelmann@fh-muenster.de>] Loading apps/s_client.c +1 −1 Original line number Diff line number Diff line Loading @@ -2056,7 +2056,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) } #endif #ifdef SSL_DEBUG #ifndef SSL_DEBUG { /* Print out local port of connection: useful for debugging */ int sock; Loading demos/certs/mkcerts.sh +4 −1 Original line number Diff line number Diff line Loading @@ -30,7 +30,10 @@ $OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ # First DH parameters [ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem # Uncomment out this line for X9.42 DH parameters instead $OPENSSL genpkey -genparam -algorithm DH -out dhp.pem -pkeyopt dh_rfc5114:2 # Now a DH private key $OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem Loading ssl/s3_clnt.c +34 −0 Original line number Diff line number Diff line Loading @@ -689,9 +689,43 @@ int ssl3_client_hello(SSL *s) /* Do the message type and length last */ d=p= &(buf[4]); /* version indicates the negotiated version: for example from * an SSLv2/v3 compatible client hello). The client_version * field is the maximum version we permit and it is also * used in RSA encrypted premaster secrets. Some servers can * choke if we initially report a higher version then * renegotiate to a lower one in the premaster secret. This * didn't happen with TLS 1.0 as most servers supported it * but it can with TLS 1.1 or later if the server only supports * 1.0. * * Possible scenario with previous logic: * 1. Client hello indicates TLS 1.2 * 2. Server hello says TLS 1.0 * 3. RSA encrypted premaster secret uses 1.2. * 4. Handhaked proceeds using TLS 1.0. * 5. Server sends hello request to renegotiate. * 6. Client hello indicates TLS v1.0 as we now * know that is maximum server supports. * 7. Server chokes on RSA encrypted premaster secret * containing version 1.0. * * For interoperability it should be OK to always use the * maximum version we support in client hello and then rely * on the checking of version to ensure the servers isn't * being inconsistent: for example initially negotiating with * TLS 1.0 and renegotiating with TLS 1.2. We do this by using * client_version in client hello and not resetting it to * the negotiated version. */ #if 0 *(p++)=s->version>>8; *(p++)=s->version&0xff; s->client_version=s->version; #else *(p++)=s->client_version>>8; *(p++)=s->client_version&0xff; #endif /* Random stuff */ memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); Loading ssl/ssl3.h +2 −1 Original line number Diff line number Diff line /* ssl/ssl3.h */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * Loading Loading @@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 #define SSL3_FLAGS_CLEAR_CLIENT_CERT 0x0040 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we * restart a handshake because of MS SGC and so prevents us Loading Loading
CHANGES +7 −0 Original line number Diff line number Diff line Loading @@ -267,6 +267,13 @@ Changes between 1.0.0f and 1.0.1 [xx XXX xxxx] *) Some servers which support TLS 1.0 can choke if we initially indicate support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA encrypted premaster secret. As a workaround use the maximum pemitted client version in client hello, this should keep such servers happy and still work with previous versions of OpenSSL. [Steve Henson] *) Add support for TLS/DTLS heartbeats. [Robin Seggelmann <seggelmann@fh-muenster.de>] Loading
apps/s_client.c +1 −1 Original line number Diff line number Diff line Loading @@ -2056,7 +2056,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) } #endif #ifdef SSL_DEBUG #ifndef SSL_DEBUG { /* Print out local port of connection: useful for debugging */ int sock; Loading
demos/certs/mkcerts.sh +4 −1 Original line number Diff line number Diff line Loading @@ -30,7 +30,10 @@ $OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ # First DH parameters [ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem # Uncomment out this line for X9.42 DH parameters instead $OPENSSL genpkey -genparam -algorithm DH -out dhp.pem -pkeyopt dh_rfc5114:2 # Now a DH private key $OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem Loading
ssl/s3_clnt.c +34 −0 Original line number Diff line number Diff line Loading @@ -689,9 +689,43 @@ int ssl3_client_hello(SSL *s) /* Do the message type and length last */ d=p= &(buf[4]); /* version indicates the negotiated version: for example from * an SSLv2/v3 compatible client hello). The client_version * field is the maximum version we permit and it is also * used in RSA encrypted premaster secrets. Some servers can * choke if we initially report a higher version then * renegotiate to a lower one in the premaster secret. This * didn't happen with TLS 1.0 as most servers supported it * but it can with TLS 1.1 or later if the server only supports * 1.0. * * Possible scenario with previous logic: * 1. Client hello indicates TLS 1.2 * 2. Server hello says TLS 1.0 * 3. RSA encrypted premaster secret uses 1.2. * 4. Handhaked proceeds using TLS 1.0. * 5. Server sends hello request to renegotiate. * 6. Client hello indicates TLS v1.0 as we now * know that is maximum server supports. * 7. Server chokes on RSA encrypted premaster secret * containing version 1.0. * * For interoperability it should be OK to always use the * maximum version we support in client hello and then rely * on the checking of version to ensure the servers isn't * being inconsistent: for example initially negotiating with * TLS 1.0 and renegotiating with TLS 1.2. We do this by using * client_version in client hello and not resetting it to * the negotiated version. */ #if 0 *(p++)=s->version>>8; *(p++)=s->version&0xff; s->client_version=s->version; #else *(p++)=s->client_version>>8; *(p++)=s->client_version&0xff; #endif /* Random stuff */ memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); Loading
ssl/ssl3.h +2 −1 Original line number Diff line number Diff line /* ssl/ssl3.h */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * Loading Loading @@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 #define SSL3_FLAGS_CLEAR_CLIENT_CERT 0x0040 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we * restart a handshake because of MS SGC and so prevents us Loading
