Put ECCdraft ciphersuites back into default build (but disabled

unless specifically requested)

CHANGES

@@ -4,9 +4,13 @@
 
  Changes between 0.9.8b and 0.9.8c  [xx XXX xxxx]
 
-  *) Disable "ECCdraft" ciphersuites (which were not part of the "ALL"
-     alias).  These are now excluded from compilation by default, since
-     OpenSSL 0.9.9[-dev] should be used for TLS with elliptic curves.
+  *) Disable "ECCdraft" ciphersuites more thoroughly.  Now special
+     treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
+     cannot be implicitly activated as part of, e.g., the "AES" alias.
+     However, please upgrade to OpenSSL 0.9.9[-dev] for
+     non-experimental use of the ECC ciphersuites to get TLS extension
+     support, which is required for curve and point format negotiation
+     to avoid potential handshake problems.
      [Bodo Moeller]
 
   *) Disable rogue ciphersuites:

ssl/s3_lib.c

@@ -1165,7 +1165,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	},
 #endif /* OPENSSL_NO_CAMELLIA */
 
-#if 0 /* please use OpenSSL 0.9.9 branch for ECC ciphersuites */
 #ifndef OPENSSL_NO_ECDH
 	/* Cipher C001 */
 	    {
@@ -1517,7 +1516,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             SSL_ALL_STRENGTHS,
             },
 #endif	/* OPENSSL_NO_ECDH */
-#endif
 
 
 /* end of list */

ssl/ssl_ciph.c

@@ -635,8 +635,22 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 			{
 			if (!curr->active)
 				{
-				ll_append_tail(&head, curr, &tail);
-				curr->active = 1;
+				int add_this_cipher = 1;
+
+				if (((cp->algorithms & (SSL_kECDHE|SSL_kECDH|SSL_aECDSA)) != 0))
+					{
+					/* Make sure "ECCdraft" ciphersuites are activated only if
+					 * *explicitly* requested, but not implicitly (such as
+					 * as part of the "AES" alias). */
+
+					add_this_cipher = (mask & (SSL_kECDHE|SSL_kECDH|SSL_aECDSA)) != 0;
+					}
+				
+				if (add_this_cipher)
+					{
+					ll_append_tail(&head, curr, &tail);
+					curr->active = 1;
+					}
 				}
 			}
 		/* Move the added cipher to this location */