Update from 1.0.0-stable

2009-04-08 16:16:35 +00:00 · 2009-04-08 16:16:35 +00:00 · 22c98d4aad
commit 22c98d4aad
parent cc7399e79c
4 changed files with 26 additions and 2 deletions
--- a/6
+++ b/6
@ -4,6 +4,12 @@

 Changes between 0.9.8k and 1.0  [xx XXX xxxx]

+  *) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello:
+     this allows the use of compression and extensions. Change default cipher
+     string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2
+     by default unless an application cipher string requests it.
+     [Steve Henson]
+
  *) Alter match criteria in PKCS12_parse(). It used to try to use local
     key ids to find matching certificates and keys but some PKCS#12 files
     don't follow the (somewhat unwritten) rules and this strategy fails.
--- a/crypto/x509v3/v3_alt.c
+++ b/crypto/x509v3/v3_alt.c
@ -366,6 +366,7 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
                if (move_p)
                        {
                        X509_NAME_delete_entry(nm, i);
+			X509_NAME_ENTRY_free(ne);
                        i--;
                        }
 		if(!email || !(gen = GENERAL_NAME_new())) {
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@ -250,6 +250,20 @@ end:
 	return(ret);
 	}

+static int ssl23_no_ssl2_ciphers(SSL *s)
+	{
+	SSL_CIPHER *cipher;
+	STACK_OF(SSL_CIPHER) *ciphers;
+	int i;
+	ciphers = SSL_get_ciphers(s);
+	for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++)
+		{
+		cipher = sk_SSL_CIPHER_value(ciphers, i);
+		if (cipher->algorithm_ssl == SSL_SSLV2)
+			return 0;
+		}
+	return 1;
+	}

 static int ssl23_client_hello(SSL *s)
 	{
@ -264,6 +278,9 @@ static int ssl23_client_hello(SSL *s)

 	ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1;

+	if (ssl2_compat && ssl23_no_ssl2_ciphers(s))
+		ssl2_compat = 0;
+
 	if (!(s->options & SSL_OP_NO_TLSv1))
 		{
 		version = TLS1_VERSION;
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@ -324,8 +324,8 @@ extern "C" {
 /* The following cipher list is used by default.
 * It also is substituted when an application-defined cipher list string
 * starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL"
-/* As of OpenSSL 0.9.9, ssl_create_cipher_list() in ssl/ssl_ciph.c always
+#define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL:!SSlv2"
+/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
 * starts with a reasonable order, and all we have to do for DEFAULT is
 * throwing out anonymous and unencrypted ciphersuites!
 * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable