New option to enable/disable connection to unpatched servers

2009-12-16 20:28:30 +00:00
parent 2456cd58c4
commit 675564835c
12 changed files with 48 additions and 8 deletions
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -698,7 +698,7 @@ int dtls1_client_hello(SSL *s)
 #ifndef OPENSSL_NO_TLSEXT
 		if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
 			{
-			SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
+			SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
 			goto err;
 			}
 #endif		
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -814,7 +814,7 @@ int dtls1_send_server_hello(SSL *s)
 #ifndef OPENSSL_NO_TLSEXT
 		if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
 			{
-			SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
+			SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
 			return -1;
 			}
 #endif
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -517,6 +517,8 @@ typedef struct ssl_session_st

 #define SSL_OP_MICROSOFT_SESS_ID_BUG			0x00000001L
 #define SSL_OP_NETSCAPE_CHALLENGE_BUG			0x00000002L
+/* Allow initial connection to servers that don't support RI */
+#define SSL_OP_LEGACY_SERVER_CONNECT			0x00000004L
 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L
 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -129,7 +129,9 @@ extern "C" {
 #endif

 /* Magic Cipher Suite Value. NB: bogus value used for testing */
+#ifndef SSL3_CK_MCSV
 #define SSL3_CK_MCSV				0x03000FEC
+#endif

 #define SSL3_CK_RSA_NULL_MD5			0x03000001
 #define SSL3_CK_RSA_NULL_SHA			0x03000002
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1677,6 +1677,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
 	}
 #endif
 #endif
+	/* Default is to connect to non-RI servers. When RI is more widely
+	 * deployed might change this.
+	 */
+	ret->options = SSL_OP_LEGACY_SERVER_CONNECT;

 	return(ret);
 err:
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1157,8 +1157,9 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 	 * which doesn't support RI so for the immediate future tolerate RI
 	 * absence on initial connect only.
 	 */
-	if (!renegotiate_seen && s->new_session &&
-		!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+	if (!renegotiate_seen && 
+		(s->new_session || !(s->options & SSL_OP_LEGACY_SERVER_CONNECT))
+		&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
 		{
 		/* FIXME: Spec currently doesn't give alert to use */
 		*al = SSL_AD_ILLEGAL_PARAMETER;