generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Additional workaround for PR#2771

Browse Source 
If OPENSSL_MAX_TLS1_2_CIPHER_LENGTH is set then limit the size of client
ciphersuites to this value. A value of 50 should be sufficient.

Document workarounds in CHANGES.
This commit is contained in:
Dr. Stephen Henson 2012-04-17 14:41:23 +00:00
parent 4a1cf50187
commit 89bd25eb26
3 changed files with 29 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
CHANGES
View File

@ -4,9 +4,18 @@
Changes between 1.0.1 and 1.0.1a [xx XXX xxxx] Changes between 1.0.1 and 1.0.1a [xx XXX xxxx]
*) *) Workarounds for some broken servers that "hang" if a client hello
record length exceeds 255 bytes.
Changes between 1.0.1 and 1.0.1a [xx XXX xxxx] 1. Do not use record version number > TLS 1.0 in initial client
hello: some (but not all) hanging servers will now work.
2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
the number of ciphers sent in the client hello. This should be
set to an even number, such as 50, for example by passing:
-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
Most broken servers should now work.
3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
TLS 1.2 client support entirely.
*) Fix SEGV in Vector Permutation AES module observed in OpenSSH. *) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
[Andy Polyakov] [Andy Polyakov]

9
ssl/s23_clnt.c
View File

@ -469,6 +469,15 @@ static int ssl23_client_hello(SSL *s)
SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
return -1; return -1;
} }
#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
/* Some servers hang if client hello > 256 bytes
* as hack workaround chop number of supported ciphers
* to keep it well below this if we use TLS v1.2
*/
if (TLS1_get_version(s) >= TLS1_2_VERSION
&& i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
#endif
s2n(i,p); s2n(i,p);
p+=i; p+=i;

9
ssl/s3_clnt.c
View File

@ -755,6 +755,15 @@ int ssl3_client_hello(SSL *s)
SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
goto err; goto err;
} }
#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
/* Some servers hang if client hello > 256 bytes
* as hack workaround chop number of supported ciphers
* to keep it well below this if we use TLS v1.2
*/
if (TLS1_get_version(s) >= TLS1_2_VERSION
&& i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
#endif
s2n(i,p); s2n(i,p);
p+=i; p+=i;