Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[CVS] OpenSSL: openssl/ CHANGES NEWS openssl/doc/ssl/ SSL_CTX_set_opti...

0 views
Skip to first unread message

Dr. Stephen Henson

unread,
Feb 12, 2010, 4:59:31 PM2/12/10
to
OpenSSL CVS Repository
http://cvs.openssl.org/
____________________________________________________________________________

Server: cvs.openssl.org Name: Dr. Stephen Henson
Root: /v/openssl/cvs Email: st...@openssl.org
Module: openssl Date: 12-Feb-2010 22:59:31
Branch: HEAD Handle: 2010021221593001

Modified files:
openssl CHANGES NEWS
openssl/doc/ssl SSL_CTX_set_options.pod

Log:
update references to new RI RFC

Summary:
Revision Changes Path
1.1535 +11 -12 openssl/CHANGES
1.72 +1 -1 openssl/NEWS
1.21 +2 -2 openssl/doc/ssl/SSL_CTX_set_options.pod
____________________________________________________________________________

patch -p0 <<'@@ .'
Index: openssl/CHANGES
============================================================================
$ cvs diff -u -r1.1534 -r1.1535 CHANGES
--- openssl/CHANGES 8 Feb 2010 15:31:32 -0000 1.1534
+++ openssl/CHANGES 12 Feb 2010 21:59:30 -0000 1.1535
@@ -929,14 +929,14 @@
[Steve Henson]

*) If client attempts to renegotiate and doesn't support RI respond with
- a no_renegotiation alert as required by draft-ietf-tls-renegotiation.
- Some renegotiating TLS clients will continue a connection gracefully
- when they receive the alert. Unfortunately OpenSSL mishandled
- this alert and would hang waiting for a server hello which it will never
- receive. Now we treat a received no_renegotiation alert as a fatal
- error. This is because applications requesting a renegotiation might well
- expect it to succeed and would have no code in place to handle the server
- denying it so the only safe thing to do is to terminate the connection.
+ a no_renegotiation alert as required by RFC5746. Some renegotiating
+ TLS clients will continue a connection gracefully when they receive
+ the alert. Unfortunately OpenSSL mishandled this alert and would hang
+ waiting for a server hello which it will never receive. Now we treat a
+ received no_renegotiation alert as a fatal error. This is because
+ applications requesting a renegotiation might well expect it to succeed
+ and would have no code in place to handle the server denying it so the
+ only safe thing to do is to terminate the connection.
[Steve Henson]

*) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
@@ -948,10 +948,9 @@
the updated NID creation version. This should correctly handle UTF8.
[Steve Henson]

- *) Implement draft-ietf-tls-renegotiation-03. Re-enable
- renegotiation but require the extension as needed. Unfortunately,
- SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a
- bad idea. It has been replaced by
+ *) Implement RFC5746. Re-enable renegotiation but require the extension
+ as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+ turns out to be a bad idea. It has been replaced by
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
SSL_CTX_set_options(). This is really not recommended unless you
know what you are doing.
@@ .
patch -p0 <<'@@ .'
Index: openssl/NEWS
============================================================================
$ cvs diff -u -r1.71 -r1.72 NEWS
--- openssl/NEWS 20 Jan 2010 17:56:34 -0000 1.71
+++ openssl/NEWS 12 Feb 2010 21:59:30 -0000 1.72
@@ -7,7 +7,7 @@

Major changes between OpenSSL 0.9.8l and OpenSSL 1.0:

- o Support for draft-ietf-tls-renegotiation-03.txt
+ o Support for RFC5746 TLS renegotiation extension.
o RFC3280 path validation: sufficient to process PKITS tests.
o Integrated support for PVK files and keyblobs.
o Change default private key format to PKCS#8.
@@ .
patch -p0 <<'@@ .'
Index: openssl/doc/ssl/SSL_CTX_set_options.pod
============================================================================
$ cvs diff -u -r1.20 -r1.21 SSL_CTX_set_options.pod
--- openssl/doc/ssl/SSL_CTX_set_options.pod 27 Jan 2010 18:53:33 -0000 1.20
+++ openssl/doc/ssl/SSL_CTX_set_options.pod 12 Feb 2010 21:59:31 -0000 1.21
@@ -234,8 +234,8 @@
=head1 SECURE RENEGOTIATION

OpenSSL 0.9.8m and later always attempts to use secure renegotiation as
-described in draft-ietf-tls-renegotiation (FIXME: replace by RFC). This
-counters the prefix attack described in CVE-2009-3555 and elsewhere.
+described in RFC5746. This counters the prefix attack described in
+CVE-2009-3555 and elsewhere.

The deprecated and highly broken SSLv2 protocol does not support secure
renegotiation at all: its use is B<strongly> discouraged.
@@ .
______________________________________________________________________
OpenSSL Project http://www.openssl.org
CVS Repository Commit List opens...@openssl.org
Automated List Manager majo...@openssl.org

0 new messages