Loading CHANGES +21 −9 Original line number Diff line number Diff line Loading @@ -20,15 +20,27 @@ (instead of parameters) in future. [Steve Henson] *) Apply Lutz Jaenicke's 56bit cipher patch. This should fix the problems with cipher ordering and the new EXPORT1024 ciphers. Only two minor changes have been made, the error reason codes have been altered and the @STRENGTH sorting behaviour changed so eNULL ciphers are also sorted (if present). One other addition: the "ciphers" program didn't check the return code of SSL_CTX_set_cipher_list(). [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> modified by Steve Henson] *) Make the ciphers, s_server and s_client programs check the return values when a new cipher list is set. [Steve Henson] *) Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit ciphers. Before when the 56bit ciphers were enabled the sorting was wrong. The syntax for the cipher sorting has been extended to support sorting by cipher-strength (using the strength_bits hard coded in the tables). The new command is "@STRENGTH" (see also doc/apps/ciphers.pod). Fix a bug in the cipher-command parser: when supplying a cipher command string with an "undefined" symbol (neither command nor alphanumeric [A-Za-z0-9], ssl_set_cipher_list used to hang in an endless loop. Now an error is flagged. Due to the strength-sorting extension, the code of the ssl_create_cipher_list() function was completely rearranged. I hope that the readability was also increased :-) [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>] *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1 for the first serial number and places 2 in the serial number file. This Loading apps/s_client.c +6 −2 Original line number Diff line number Diff line Loading @@ -338,6 +338,7 @@ bad: } SSLeay_add_ssl_algorithms(); SSL_load_error_strings(); ctx=SSL_CTX_new(meth); if (ctx == NULL) { Loading @@ -352,7 +353,11 @@ bad: if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); if (cipher != NULL) SSL_CTX_set_cipher_list(ctx,cipher); if(!SSL_CTX_set_cipher_list(ctx,cipher)) { BIO_printf(bio_err,"error seting cipher list\n"); ERR_print_errors(bio_err); goto end; } #if 0 else SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER")); Loading @@ -370,7 +375,6 @@ bad: /* goto end; */ } SSL_load_error_strings(); con=(SSL *)SSL_new(ctx); /* SSL_set_cipher_list(con,"RC4-MD5"); */ Loading apps/s_server.c +5 −1 Original line number Diff line number Diff line Loading @@ -697,7 +697,11 @@ bad: #endif if (cipher != NULL) SSL_CTX_set_cipher_list(ctx,cipher); if(!SSL_CTX_set_cipher_list(ctx,cipher)) { BIO_printf(bio_err,"error seting cipher list\n"); ERR_print_errors(bio_err); goto end; } SSL_CTX_set_verify(ctx,s_server_verify,verify_callback); SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context, sizeof s_server_session_id_context); Loading doc/apps/s_client.pod +4 −2 Original line number Diff line number Diff line Loading @@ -144,8 +144,10 @@ option enables various workarounds. =item B<-cipher cipherlist> this allows the cipher list sent by the client to be modified. See the B<ciphers> command for more information. this allows the cipher list sent by the client to be modified. Although the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See the B<ciphers> command for more information. =back Loading doc/apps/s_server.pod +5 −2 Original line number Diff line number Diff line Loading @@ -167,8 +167,11 @@ SSL code (?). =item B<-cipher cipherlist> this allows the cipher list sent by the client to be modified. See the B<ciphers> command for more information. this allows the cipher list used by the server to be modified. When the client sends a list of supported ciphers the first client cipher also included in the server list is used. Because the client specifies the preference order, the order of the server cipherlist irrelevant. See the B<ciphers> command for more information. =item B<-www> Loading Loading
CHANGES +21 −9 Original line number Diff line number Diff line Loading @@ -20,15 +20,27 @@ (instead of parameters) in future. [Steve Henson] *) Apply Lutz Jaenicke's 56bit cipher patch. This should fix the problems with cipher ordering and the new EXPORT1024 ciphers. Only two minor changes have been made, the error reason codes have been altered and the @STRENGTH sorting behaviour changed so eNULL ciphers are also sorted (if present). One other addition: the "ciphers" program didn't check the return code of SSL_CTX_set_cipher_list(). [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> modified by Steve Henson] *) Make the ciphers, s_server and s_client programs check the return values when a new cipher list is set. [Steve Henson] *) Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit ciphers. Before when the 56bit ciphers were enabled the sorting was wrong. The syntax for the cipher sorting has been extended to support sorting by cipher-strength (using the strength_bits hard coded in the tables). The new command is "@STRENGTH" (see also doc/apps/ciphers.pod). Fix a bug in the cipher-command parser: when supplying a cipher command string with an "undefined" symbol (neither command nor alphanumeric [A-Za-z0-9], ssl_set_cipher_list used to hang in an endless loop. Now an error is flagged. Due to the strength-sorting extension, the code of the ssl_create_cipher_list() function was completely rearranged. I hope that the readability was also increased :-) [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>] *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1 for the first serial number and places 2 in the serial number file. This Loading
apps/s_client.c +6 −2 Original line number Diff line number Diff line Loading @@ -338,6 +338,7 @@ bad: } SSLeay_add_ssl_algorithms(); SSL_load_error_strings(); ctx=SSL_CTX_new(meth); if (ctx == NULL) { Loading @@ -352,7 +353,11 @@ bad: if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); if (cipher != NULL) SSL_CTX_set_cipher_list(ctx,cipher); if(!SSL_CTX_set_cipher_list(ctx,cipher)) { BIO_printf(bio_err,"error seting cipher list\n"); ERR_print_errors(bio_err); goto end; } #if 0 else SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER")); Loading @@ -370,7 +375,6 @@ bad: /* goto end; */ } SSL_load_error_strings(); con=(SSL *)SSL_new(ctx); /* SSL_set_cipher_list(con,"RC4-MD5"); */ Loading
apps/s_server.c +5 −1 Original line number Diff line number Diff line Loading @@ -697,7 +697,11 @@ bad: #endif if (cipher != NULL) SSL_CTX_set_cipher_list(ctx,cipher); if(!SSL_CTX_set_cipher_list(ctx,cipher)) { BIO_printf(bio_err,"error seting cipher list\n"); ERR_print_errors(bio_err); goto end; } SSL_CTX_set_verify(ctx,s_server_verify,verify_callback); SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context, sizeof s_server_session_id_context); Loading
doc/apps/s_client.pod +4 −2 Original line number Diff line number Diff line Loading @@ -144,8 +144,10 @@ option enables various workarounds. =item B<-cipher cipherlist> this allows the cipher list sent by the client to be modified. See the B<ciphers> command for more information. this allows the cipher list sent by the client to be modified. Although the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See the B<ciphers> command for more information. =back Loading
doc/apps/s_server.pod +5 −2 Original line number Diff line number Diff line Loading @@ -167,8 +167,11 @@ SSL code (?). =item B<-cipher cipherlist> this allows the cipher list sent by the client to be modified. See the B<ciphers> command for more information. this allows the cipher list used by the server to be modified. When the client sends a list of supported ciphers the first client cipher also included in the server list is used. Because the client specifies the preference order, the order of the server cipherlist irrelevant. See the B<ciphers> command for more information. =item B<-www> Loading
