Allow ADH to be used but not present in the default cipher
list. Allow CERTIFICATE to be used in PEM headers for PKCS#7 structures: some CAs do this.
This commit is contained in:
Dr. Stephen Henson
parent
4b42658082
commit
3142c86d65
10
CHANGES
10
CHANGES
@ -4,6 +4,16 @@
|
||||
|
||||
Changes between 0.9.4 and 0.9.5 [xx XXX 2000]
|
||||
|
||||
*) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures.
|
||||
Some CAs (e.g. Verisign) distribute certificates in this form.
|
||||
[Steve Henson]
|
||||
|
||||
*) Remove the SSL_ALLOW_ADH compile option and set the default cipher
|
||||
list to exclude them. This means that no special compilation option
|
||||
is needed to use anonymous DH: it just needs to be included in the
|
||||
cipher list.
|
||||
[Steve Henson]
|
||||
|
||||
*) Change the EVP_MD_CTX_type macro so its meaning consistent with
|
||||
EVP_MD_type. The old functionality is available in a new macro called
|
||||
EVP_MD_md(). Change code that uses it and update docs.
|
||||
|
||||
@ -217,6 +217,10 @@ static int check_pem(const char *nm, const char *name)
|
||||
if(!strcmp(nm,PEM_STRING_X509_OLD) &&
|
||||
!strcmp(name,PEM_STRING_X509_TRUSTED)) return 1;
|
||||
|
||||
/* Some CAs use PKCS#7 with CERTIFICATE headers */
|
||||
if(!strcmp(nm, PEM_STRING_X509) &&
|
||||
!strcmp(name, PEM_STRING_PKCS7)) return 1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
@ -101,7 +101,8 @@ The following is a list of all permitted cipher strings and their meanings.
|
||||
=item B<DEFAULT>
|
||||
|
||||
the default cipher list. This is determined at compile time and is normally
|
||||
B<TBA>. This must be the first cipher string specified.
|
||||
B<ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH>. This must be the first cipher string
|
||||
specified.
|
||||
|
||||
=item B<ALL>
|
||||
|
||||
@ -143,7 +144,7 @@ included.
|
||||
|
||||
the cipher suites offering no authentication. This is currently the anonymous
|
||||
DH algorithms. These cipher suites are vulnerable to a "man in the middle"
|
||||
attack and so there use is normally discouraged.
|
||||
attack and so their use is normally discouraged.
|
||||
|
||||
=item B<kRSA>, B<RSA>
|
||||
|
||||
|
||||
@ -71,6 +71,18 @@ Output all certificates in a file:
|
||||
|
||||
openssl pkcs7 -in file.pem -print_certs -out certs.pem
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
The PEM PKCS#7 format uses the header and footer lines:
|
||||
|
||||
-----BEGIN PKCS7-----
|
||||
-----END PKCS7-----
|
||||
|
||||
For compatability with some CAs it will also accept:
|
||||
|
||||
-----BEGIN CERTIFICATE-----
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
=head1 RESTRICTIONS
|
||||
|
||||
There is no option to print out all the fields of a PKCS#7 file.
|
||||
|
||||
@ -134,12 +134,7 @@ extern "C" {
|
||||
|
||||
/* 'DEFAULT' at the start of the cipher list insert the following string
|
||||
* in addition to this being the default cipher string */
|
||||
#ifndef NO_RSA
|
||||
#define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"
|
||||
#else
|
||||
#define SSL_ALLOW_ADH
|
||||
#define SSL_DEFAULT_CIPHER_LIST "ALL:ADH+3DES:ADH+RC4:ADH+DES:@STRENGTH"
|
||||
#endif
|
||||
|
||||
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
|
||||
#define SSL_SENT_SHUTDOWN 1
|
||||
|
||||
@ -1367,10 +1367,8 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
|
||||
emask|=SSL_aDSS;
|
||||
}
|
||||
|
||||
#ifdef SSL_ALLOW_ADH
|
||||
mask|=SSL_aNULL;
|
||||
emask|=SSL_aNULL;
|
||||
#endif
|
||||
|
||||
c->mask=mask;
|
||||
c->export_mask=emask;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user