generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove support for SSL_OP_NETSCAPE_CA_DN_BUG.

Browse Source 
This is an ancient bug workaround for Netscape clients. The documentation
talks about versions 3.x and 4.x beta.

Reviewed-by: Tim Hudson <tjh@openssl.org>
This commit is contained in:
Matt Caswell 2015-02-05 15:57:54 +00:00
parent ae632974f9
commit 3c33c6f6b1
4 changed files with 9 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/ssl/SSL_CTX_set_options.pod
View File

@ -169,11 +169,6 @@ will send its list of preferences to the client and the client chooses.
... ...
=item SSL_OP_NETSCAPE_CA_DN_BUG
If we accept a netscape connection, demand a client cert, have a
non-self-signed CA which does not have its CA in netscape, and the
browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta
=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG =item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG

12
ssl/s3_clnt.c
View File

@ -2109,8 +2109,6 @@ int ssl3_get_certificate_request(SSL *s)
for (nc = 0; nc < llen;) { for (nc = 0; nc < llen;) {
n2s(p, l); n2s(p, l);
if ((l + nc + 2) > llen) { if ((l + nc + 2) > llen) {
if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
goto cont; /* netscape bugs */
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG); SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
goto err; goto err;
@ -2119,15 +2117,10 @@ int ssl3_get_certificate_request(SSL *s)
q = p; q = p;
if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) { if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) {
/* If netscape tolerance is on, ignore errors */
if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
goto cont;
else {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB); SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
goto err; goto err;
} }
}
if (q != (p + l)) { if (q != (p + l)) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
@ -2144,11 +2137,6 @@ int ssl3_get_certificate_request(SSL *s)
nc += l + 2; nc += l + 2;
} }
if (0) {
cont:
ERR_clear_error();
}
/* we should setup a certificate to return.... */ /* we should setup a certificate to return.... */
s->s3->tmp.cert_req = 1; s->s3->tmp.cert_req = 1;
s->s3->tmp.ctype_num = ctype_num; s->s3->tmp.ctype_num = ctype_num;

10
ssl/s3_srvr.c
View File

@ -2056,20 +2056,10 @@ int ssl3_send_certificate_request(SSL *s)
goto err; goto err;
} }
p = ssl_handshake_start(s) + n; p = ssl_handshake_start(s) + n;
if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) {
s2n(j, p); s2n(j, p);
i2d_X509_NAME(name, &p); i2d_X509_NAME(name, &p);
n += 2 + j; n += 2 + j;
nl += 2 + j; nl += 2 + j;
} else {
d = p;
i2d_X509_NAME(name, &p);
j -= 2;
s2n(j, d);
j += 2;
n += j;
nl += j;
}
} }
} }
/* else no CA names */ /* else no CA names */

3
ssl/ssl.h
View File

@ -478,7 +478,8 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,
# define SSL_OP_PKCS1_CHECK_1 0x0 # define SSL_OP_PKCS1_CHECK_1 0x0
# define SSL_OP_PKCS1_CHECK_2 0x0 # define SSL_OP_PKCS1_CHECK_2 0x0
# define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L /* Removed as of OpenSSL 1.1.0 */
# define SSL_OP_NETSCAPE_CA_DN_BUG 0x0
# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L # define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
/* /*
* Make server add server-hello extension from early version of cryptopro * Make server add server-hello extension from early version of cryptopro