Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

[CVS] OpenSSL: openssl/ CHANGES openssl/apps/ s_client.c openssl/ssl/ ...

8 views

Skip to first unread message

Dr. Stephen Henson

unread,

Dec 16, 2009, 3:26:00 PM12/16/09

OpenSSL CVS Repository
http://cvs.openssl.org/
____________________________________________________________________________

Server: cvs.openssl.org Name: Dr. Stephen Henson
Root: /v/openssl/cvs Email: st...@openssl.org
Module: openssl Date: 16-Dec-2009 21:25:59
Branch: HEAD Handle: 2009121620255702

Modified files:
openssl CHANGES
openssl/apps s_client.c
openssl/ssl ssl.h ssl3.h ssl_lib.c t1_lib.c

Log:
New option to enable/disable connection to unpatched servers

Summary:
Revision Changes Path
1.1518 +5 -0 openssl/CHANGES
1.130 +8 -1 openssl/apps/s_client.c
1.242 +2 -0 openssl/ssl/ssl.h
1.49 +2 -0 openssl/ssl/ssl3.h
1.192 +4 -0 openssl/ssl/ssl_lib.c
1.75 +3 -2 openssl/ssl/t1_lib.c
____________________________________________________________________________

patch -p0 <<'@@ .'
Index: openssl/CHANGES
============================================================================
$ cvs diff -u -r1.1517 -r1.1518 CHANGES
--- openssl/CHANGES 9 Dec 2009 13:25:15 -0000 1.1517
+++ openssl/CHANGES 16 Dec 2009 20:25:57 -0000 1.1518
@@ -863,6 +863,11 @@

Changes between 0.9.8l (?) and 0.9.8m (?) [xx XXX xxxx]

+ *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to
+ connect (but not renegotiate) with servers which do not support RI.
+ Until RI is more widely deployed this option is enabled by default.
+ [Steve Henson]
+
*) Add "missing" ssl ctrls to clear options and mode.
[Steve Henson]

@@ .
patch -p0 <<'@@ .'
Index: openssl/apps/s_client.c
============================================================================
$ cvs diff -u -r1.129 -r1.130 s_client.c
--- openssl/apps/s_client.c 8 Dec 2009 13:42:07 -0000 1.129
+++ openssl/apps/s_client.c 16 Dec 2009 20:25:58 -0000 1.130
@@ -383,7 +383,7 @@

int MAIN(int argc, char **argv)
{
- int off=0;
+ unsigned int off=0, clr=0;
SSL *con=NULL;
int s,k,width,state=0;
char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
@@ -666,6 +666,10 @@
off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
else if (strcmp(*argv,"-legacy_renegotiation") == 0)
off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+ else if (strcmp(*argv,"-legacy_server_connect") == 0)
+ { off|=SSL_OP_LEGACY_SERVER_CONNECT; }
+ else if (strcmp(*argv,"-no_legacy_server_connect") == 0)
+ { clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
else if (strcmp(*argv,"-cipher") == 0)
{
if (--argc < 1) goto bad;
@@ -876,6 +880,9 @@
SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
else
SSL_CTX_set_options(ctx,off);
+
+ if (clr)
+ SSL_CTX_clear_options(ctx, clr);
/* DTLS: partial reads end up discarding unread UDP bytes :-(
* Setting read ahead solves this problem.
*/
@@ .
patch -p0 <<'@@ .'
Index: openssl/ssl/ssl.h
============================================================================
$ cvs diff -u -r1.241 -r1.242 ssl.h
--- openssl/ssl/ssl.h 11 Dec 2009 00:23:12 -0000 1.241
+++ openssl/ssl/ssl.h 16 Dec 2009 20:25:58 -0000 1.242
@@ -518,6 +518,8 @@

#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
+/* Allow initial connection to servers that don't support RI */
+#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
@@ .
patch -p0 <<'@@ .'
Index: openssl/ssl/ssl3.h
============================================================================
$ cvs diff -u -r1.48 -r1.49 ssl3.h
--- openssl/ssl/ssl3.h 8 Dec 2009 13:14:02 -0000 1.48
+++ openssl/ssl/ssl3.h 16 Dec 2009 20:25:58 -0000 1.49
@@ -129,7 +129,9 @@
#endif

/* Magic Cipher Suite Value. NB: bogus value used for testing */
+#ifndef SSL3_CK_MCSV
#define SSL3_CK_MCSV 0x03000FEC
+#endif

#define SSL3_CK_RSA_NULL_MD5 0x03000001
#define SSL3_CK_RSA_NULL_SHA 0x03000002
@@ .
patch -p0 <<'@@ .'
Index: openssl/ssl/ssl_lib.c
============================================================================
$ cvs diff -u -r1.191 -r1.192 ssl_lib.c
--- openssl/ssl/ssl_lib.c 9 Dec 2009 15:03:44 -0000 1.191
+++ openssl/ssl/ssl_lib.c 16 Dec 2009 20:25:59 -0000 1.192
@@ -1677,6 +1677,10 @@
}
#endif
#endif
+ /* Default is to connect to non-RI servers. When RI is more widely
+ * deployed might change this.
+ */
+ ret->options = SSL_OP_LEGACY_SERVER_CONNECT;

return(ret);
err:
@@ .
patch -p0 <<'@@ .'
Index: openssl/ssl/t1_lib.c
============================================================================
$ cvs diff -u -r1.74 -r1.75 t1_lib.c
--- openssl/ssl/t1_lib.c 14 Dec 2009 13:56:04 -0000 1.74
+++ openssl/ssl/t1_lib.c 16 Dec 2009 20:25:59 -0000 1.75
@@ -1157,8 +1157,9 @@
* which doesn't support RI so for the immediate future tolerate RI
* absence on initial connect only.
*/
- if (!renegotiate_seen && s->new_session &&
- !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ if (!renegotiate_seen &&
+ (s->new_session || !(s->options & SSL_OP_LEGACY_SERVER_CONNECT))
+ && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
{
/* FIXME: Spec currently doesn't give alert to use */
*al = SSL_AD_ILLEGAL_PARAMETER;
@@ .
______________________________________________________________________
OpenSSL Project http://www.openssl.org
CVS Repository Commit List opens...@openssl.org
Automated List Manager majo...@openssl.org

0 new messages