Add no-ssl2-method
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> MR: #2341 (cherry picked from commit 4256957570a233ed4e9840353e95e623dfd62086)
This commit is contained in:
Kurt Roeckx
parent
03c71b84d3
commit
6629966097
4
CHANGES
4
CHANGES
@ -8,6 +8,10 @@
|
|||||||
default.
|
default.
|
||||||
[Kurt Roeckx]
|
[Kurt Roeckx]
|
||||||
|
|
||||||
|
*) Only remove the SSLv2 methods with the no-ssl2-method option. When the
|
||||||
|
methods are enabled and ssl2 is disabled the methods return NULL.
|
||||||
|
[Kurt Roeckx]
|
||||||
|
|
||||||
Changes between 1.0.1r and 1.0.1s [1 Mar 2016]
|
Changes between 1.0.1r and 1.0.1s [1 Mar 2016]
|
||||||
|
|
||||||
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
|
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
|
||||||
|
|||||||
@ -57,7 +57,8 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include "ssl_locl.h"
|
#include "ssl_locl.h"
|
||||||
#ifndef OPENSSL_NO_SSL2
|
#ifndef OPENSSL_NO_SSL2_METHOD
|
||||||
|
# ifndef OPENSSL_NO_SSL2
|
||||||
# include <stdio.h>
|
# include <stdio.h>
|
||||||
# include <openssl/objects.h>
|
# include <openssl/objects.h>
|
||||||
|
|
||||||
@ -72,10 +73,19 @@ static const SSL_METHOD *ssl2_get_method(int ver)
|
|||||||
|
|
||||||
IMPLEMENT_ssl2_meth_func(SSLv2_method,
|
IMPLEMENT_ssl2_meth_func(SSLv2_method,
|
||||||
ssl2_accept, ssl2_connect, ssl2_get_method)
|
ssl2_accept, ssl2_connect, ssl2_get_method)
|
||||||
#else /* !OPENSSL_NO_SSL2 */
|
|
||||||
|
# else /* !OPENSSL_NO_SSL2 */
|
||||||
|
|
||||||
const SSL_METHOD *SSLv2_method(void) { return NULL; }
|
const SSL_METHOD *SSLv2_method(void) { return NULL; }
|
||||||
const SSL_METHOD *SSLv2_client_method(void) { return NULL; }
|
const SSL_METHOD *SSLv2_client_method(void) { return NULL; }
|
||||||
const SSL_METHOD *SSLv2_server_method(void) { return NULL; }
|
const SSL_METHOD *SSLv2_server_method(void) { return NULL; }
|
||||||
|
|
||||||
|
# endif
|
||||||
|
|
||||||
|
#else /* !OPENSSL_NO_SSL2_METHOD */
|
||||||
|
|
||||||
|
# if PEDANTIC
|
||||||
|
static void *dummy = &dummy;
|
||||||
|
# endif
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@ -2017,9 +2017,11 @@ const char *SSL_get_version(const SSL *s);
|
|||||||
/* This sets the 'default' SSL version that SSL_new() will create */
|
/* This sets the 'default' SSL version that SSL_new() will create */
|
||||||
int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
|
int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
|
||||||
|
|
||||||
|
# ifndef OPENSSL_NO_SSL2_METHOD
|
||||||
const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
|
const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
|
||||||
const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
|
const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
|
||||||
const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
|
const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
|
||||||
|
# endif
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_SSL3_METHOD
|
# ifndef OPENSSL_NO_SSL3_METHOD
|
||||||
const SSL_METHOD *SSLv3_method(void); /* SSLv3 */
|
const SSL_METHOD *SSLv3_method(void); /* SSLv3 */
|
||||||
|
|||||||
@ -1115,6 +1115,7 @@ sub read_options
|
|||||||
"nw-mwasm" => \$nw_mwasm,
|
"nw-mwasm" => \$nw_mwasm,
|
||||||
"gaswin" => \$gaswin,
|
"gaswin" => \$gaswin,
|
||||||
"no-ssl2" => \$no_ssl2,
|
"no-ssl2" => \$no_ssl2,
|
||||||
|
"no-ssl2-method" => 0,
|
||||||
"no-ssl3" => \$no_ssl3,
|
"no-ssl3" => \$no_ssl3,
|
||||||
"no-ssl3-method" => 0,
|
"no-ssl3-method" => 0,
|
||||||
"no-tlsext" => \$no_tlsext,
|
"no-tlsext" => \$no_tlsext,
|
||||||
|
|||||||
@ -107,6 +107,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
|
|||||||
"CAPIENG",
|
"CAPIENG",
|
||||||
# SSL v2
|
# SSL v2
|
||||||
"SSL2",
|
"SSL2",
|
||||||
|
# SSL v2 method
|
||||||
|
"SSL2_METHOD",
|
||||||
# SSL v3 method
|
# SSL v3 method
|
||||||
"SSL3_METHOD",
|
"SSL3_METHOD",
|
||||||
# JPAKE
|
# JPAKE
|
||||||
@ -143,7 +145,7 @@ my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated;
|
|||||||
my $no_rfc3779; my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng;
|
my $no_rfc3779; my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng;
|
||||||
my $no_jpake; my $no_srp; my $no_ssl2; my $no_ec2m; my $no_nistp_gcc;
|
my $no_jpake; my $no_srp; my $no_ssl2; my $no_ec2m; my $no_nistp_gcc;
|
||||||
my $no_nextprotoneg; my $no_sctp; my $no_srtp;
|
my $no_nextprotoneg; my $no_sctp; my $no_srtp;
|
||||||
my $no_unit_test; my $no_ssl3_method;
|
my $no_unit_test; my $no_ssl3_method; my $no_ssl2_method;
|
||||||
|
|
||||||
my $fips;
|
my $fips;
|
||||||
|
|
||||||
@ -238,6 +240,7 @@ foreach (@ARGV, split(/ /, $options))
|
|||||||
elsif (/^no-ec_nistp_64_gcc_128$/) { $no_nistp_gcc=1; }
|
elsif (/^no-ec_nistp_64_gcc_128$/) { $no_nistp_gcc=1; }
|
||||||
elsif (/^no-nextprotoneg$/) { $no_nextprotoneg=1; }
|
elsif (/^no-nextprotoneg$/) { $no_nextprotoneg=1; }
|
||||||
elsif (/^no-ssl2$/) { $no_ssl2=1; }
|
elsif (/^no-ssl2$/) { $no_ssl2=1; }
|
||||||
|
elsif (/^no-ssl2-method$/) { $no_ssl2_method=1; }
|
||||||
elsif (/^no-ssl3-method$/) { $no_ssl3_method=1; }
|
elsif (/^no-ssl3-method$/) { $no_ssl3_method=1; }
|
||||||
elsif (/^no-capieng$/) { $no_capieng=1; }
|
elsif (/^no-capieng$/) { $no_capieng=1; }
|
||||||
elsif (/^no-jpake$/) { $no_jpake=1; }
|
elsif (/^no-jpake$/) { $no_jpake=1; }
|
||||||
@ -1211,6 +1214,7 @@ sub is_valid
|
|||||||
if ($keyword eq "EC_NISTP_64_GCC_128" && $no_nistp_gcc)
|
if ($keyword eq "EC_NISTP_64_GCC_128" && $no_nistp_gcc)
|
||||||
{ return 0; }
|
{ return 0; }
|
||||||
if ($keyword eq "SSL2" && $no_ssl2) { return 0; }
|
if ($keyword eq "SSL2" && $no_ssl2) { return 0; }
|
||||||
|
if ($keyword eq "SSL2_METHOD" && $no_ssl2_method) { return 0; }
|
||||||
if ($keyword eq "SSL3_METHOD" && $no_ssl3_method) { return 0; }
|
if ($keyword eq "SSL3_METHOD" && $no_ssl3_method) { return 0; }
|
||||||
if ($keyword eq "CAPIENG" && $no_capieng) { return 0; }
|
if ($keyword eq "CAPIENG" && $no_capieng) { return 0; }
|
||||||
if ($keyword eq "JPAKE" && $no_jpake) { return 0; }
|
if ($keyword eq "JPAKE" && $no_jpake) { return 0; }
|
||||||
|
|||||||
@ -98,9 +98,9 @@ SSLeay_add_ssl_algorithms 109 NOEXIST::FUNCTION:
|
|||||||
SSLv23_client_method 110 EXIST::FUNCTION:RSA
|
SSLv23_client_method 110 EXIST::FUNCTION:RSA
|
||||||
SSLv23_method 111 EXIST::FUNCTION:RSA
|
SSLv23_method 111 EXIST::FUNCTION:RSA
|
||||||
SSLv23_server_method 112 EXIST::FUNCTION:RSA
|
SSLv23_server_method 112 EXIST::FUNCTION:RSA
|
||||||
SSLv2_client_method 113 EXIST::FUNCTION:RSA,SSL2
|
SSLv2_client_method 113 EXIST::FUNCTION:RSA,SSL2_METHOD
|
||||||
SSLv2_method 114 EXIST::FUNCTION:RSA,SSL2
|
SSLv2_method 114 EXIST::FUNCTION:RSA,SSL2_METHOD
|
||||||
SSLv2_server_method 115 EXIST::FUNCTION:RSA,SSL2
|
SSLv2_server_method 115 EXIST::FUNCTION:RSA,SSL2_METHOD
|
||||||
SSLv3_client_method 116 EXIST::FUNCTION:SSL3_METHOD
|
SSLv3_client_method 116 EXIST::FUNCTION:SSL3_METHOD
|
||||||
SSLv3_method 117 EXIST::FUNCTION:SSL3_METHOD
|
SSLv3_method 117 EXIST::FUNCTION:SSL3_METHOD
|
||||||
SSLv3_server_method 118 EXIST::FUNCTION:SSL3_METHOD
|
SSLv3_server_method 118 EXIST::FUNCTION:SSL3_METHOD
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user