generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update from 1.0.0-stable

Browse Source
This commit is contained in:
Dr. Stephen Henson 2009-04-08 16:16:35 +00:00
parent cc7399e79c
commit 22c98d4aad
4 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGES
View File

@ -4,6 +4,12 @@
Changes between 0.9.8k and 1.0 [xx XXX xxxx] Changes between 0.9.8k and 1.0 [xx XXX xxxx]
*) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello:
this allows the use of compression and extensions. Change default cipher
string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2
by default unless an application cipher string requests it.
[Steve Henson]
*) Alter match criteria in PKCS12_parse(). It used to try to use local *) Alter match criteria in PKCS12_parse(). It used to try to use local
key ids to find matching certificates and keys but some PKCS#12 files key ids to find matching certificates and keys but some PKCS#12 files
don't follow the (somewhat unwritten) rules and this strategy fails. don't follow the (somewhat unwritten) rules and this strategy fails.

1
crypto/x509v3/v3_alt.c
View File

@ -366,6 +366,7 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
if (move_p) if (move_p)
{ {
X509_NAME_delete_entry(nm, i); X509_NAME_delete_entry(nm, i);
X509_NAME_ENTRY_free(ne);
i--; i--;
} }
if(!email || !(gen = GENERAL_NAME_new())) { if(!email || !(gen = GENERAL_NAME_new())) {

17
ssl/s23_clnt.c
View File

@ -250,6 +250,20 @@ end:
return(ret); return(ret);
} }
static int ssl23_no_ssl2_ciphers(SSL *s)
{
SSL_CIPHER *cipher;
STACK_OF(SSL_CIPHER) *ciphers;
int i;
ciphers = SSL_get_ciphers(s);
for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++)
{
cipher = sk_SSL_CIPHER_value(ciphers, i);
if (cipher->algorithm_ssl == SSL_SSLV2)
return 0;
}
return 1;
}
static int ssl23_client_hello(SSL *s) static int ssl23_client_hello(SSL *s)
{ {
@ -264,6 +278,9 @@ static int ssl23_client_hello(SSL *s)
ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1; ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1;
if (ssl2_compat && ssl23_no_ssl2_ciphers(s))
ssl2_compat = 0;
if (!(s->options & SSL_OP_NO_TLSv1)) if (!(s->options & SSL_OP_NO_TLSv1))
{ {
version = TLS1_VERSION; version = TLS1_VERSION;

4
ssl/ssl.h
View File

@ -324,8 +324,8 @@ extern "C" {
/* The following cipher list is used by default. /* The following cipher list is used by default.
* It also is substituted when an application-defined cipher list string * It also is substituted when an application-defined cipher list string
* starts with 'DEFAULT'. */ * starts with 'DEFAULT'. */
#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL" #define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSlv2"
/* As of OpenSSL 0.9.9, ssl_create_cipher_list() in ssl/ssl_ciph.c always /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is * starts with a reasonable order, and all we have to do for DEFAULT is
* throwing out anonymous and unencrypted ciphersuites! * throwing out anonymous and unencrypted ciphersuites!
* (The latter are not actually enabled by ALL, but "ALL:RSA" would enable * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable