The flag SSL_OP_MSIE_SSLV2_RSA_PADDING hasn't done anything since OpenSSL
0.9.7h but deleting it will break source compatibility with any software
that references it. Restore it but #define to zero.
Fix a limitation in SSL_CTX_use_certificate_chain_file(): use algorithm
specific chains instead of the shared chain.
Update docs.
(cherry picked from commit a4339ea3ba045b7da038148f0d48ce25f2996971)
Conflicts:
CHANGES
When sending an invalid version number alert don't change the
version number to the client version if a session is already
established.
Thanks to Marek Majkowski for additional analysis of this issue.
PR#3191
(cherry picked from commit b77b58a398c8b9b4113f3fb6b48e162a3b8d4527)
For DTLS we might need to retransmit messages from the previous session
so keep a copy of write context in DTLS retransmission buffers instead
of replacing it after sending CCS. CVE-2013-6450.
(cherry picked from commit 34628967f1e65dc8f34e000f0f5518e21afbfc7b)
New functions to retrieve current certificate or private key
from an SSL_CTX.
Constify SSL_get_private_key().
(cherry picked from commit a25f9adc778e17568fe2a325e5c3606adb8329f1)
If pointer comparison for current certificate fails check
to see if a match using X509_cmp succeeds for the current
certificate: this is useful for cases where the certificate
pointer is not available.
(cherry picked from commit 6856b288a6e66edd23907b7fa264f42e05ac9fc7)
PR#3169
This patch, which currently applies successfully against master and
1_0_2, adds the following functions:
SSL_[CTX_]select_current_cert() - set the current certificate without
disturbing the existing structure.
SSL_[CTX_]get0_chain_certs() - get the current certificate's chain.
SSL_[CTX_]clear_chain_certs() - clear the current certificate's chain.
The patch also adds these functions to, and fixes some existing errors
in, SSL_CTX_add1_chain_cert.pod.
(cherry picked from commit 2f56c9c015dbca45379c9a725915b3b8e765a119)
Extend SSL_CONF to return command value types.
Add certificate and key options.
Update documentation.
(cherry picked from commit ec2f7e568ea18a22ab57326fffe78ef2aa6884f5)
PR: 2808
With DTLS/SCTP the SCTP extension SCTP-AUTH is used to protect DATA and
FORWARD-TSN chunks. The key for this extension is derived from the
master secret and changed with the next ChangeCipherSpec, whenever a new
key has been negotiated. The following Finished then already uses the
new key. Unfortunately, the ChangeCipherSpec and Finished are part of
the same flight as the ClientKeyExchange, which is necessary for the
computation of the new secret. Hence, these messages are sent
immediately following each other, leaving the server very little time to
compute the new secret and pass it to SCTP before the finished arrives.
So the Finished is likely to be discarded by SCTP and a retransmission
becomes necessary. To prevent this issue, the Finished of the client is
still sent with the old key.
Instead, send random bytes, unless SSL_SEND_{CLIENT,SERVER}RANDOM_MODE
is set.
This is a forward-port of commits:
4af793036f6ef4f0a1078e5d7155426a98d50e37
f4c93b46edb51da71f09eda99e83eaf193a33c08
3da721dac9382c48812c8eba455528fd59af2eef
2583270191a8b27eed303c03ece1da97b9b69fd3
While the gmt_unix_time record was added in an ostensible attempt to
mitigate the dangers of a bad RNG, its presence leaks the host's view
of the current time in the clear. This minor leak can help
fingerprint TLS instances across networks and protocols... and what's
worse, it's doubtful thet the gmt_unix_time record does any good at
all for its intended purpose, since:
* It's quite possible to open two TLS connections in one second.
* If the PRNG output is prone to repeat itself, ephemeral
handshakes (and who knows what else besides) are broken.
Removing RSA+MD5 from the default signature algorithm list
prevents its use by default.
If a broken implementation attempts to use RSA+MD5 anyway the sanity
checking of signature algorithms will cause a fatal alert.
(cherry picked from commit 77a0f740d00ecf8f6b01c0685a2f858c3f65a3dd)
Make DTLS behave like TLS when negotiating version: record layer has
DTLS 1.0, message version is 1.2.
Tolerate different version numbers if version hasn't been negotiated
yet.
(cherry picked from commit 40088d8b8190a2a33828a769c23bf35de542c7dc)
Add DTLS record header parsing, different client hello format and add
HelloVerifyRequest message type.
Add code to d1_pkt.c to send message headers to the message callback.
(cherry picked from commit 890f2f8b92b385ef3898cdb4a15a071ffcf8107f)
Conflicts:
ssl/ssl_locl.h
Check for Suite B support using method flags instead of version numbers:
anything supporting TLS 1.2 cipher suites will also support Suite B.
Return an error if an attempt to use DTLS 1.0 is made in Suite B mode.
(cherry picked from commit 4544f0a69161a37ee3edce3cc1bc34c3678a4d64)
If we successfully match a cookie don't set return value to 2 as this
results in other error conditions returning 2 as well.
Instead set return value to -2 which can be checked later if everything
else is OK.
(cherry picked from commit c56f5b8edfbcec704f924870daddd96a5f768fbb)
Add new methods DTLS_*_method() which support both DTLS 1.0 and DTLS 1.2 and
pick the highest version the peer supports during negotiation.
As with SSL/TLS options can change this behaviour specifically
SSL_OP_NO_DTLSv1 and SSL_OP_NO_DTLSv1_2.
(cherry picked from commit c6913eeb762edffddecaaba5c84909d7a7962927)
Conflicts:
CHANGES
Port TLS 1.2 GCM code to DTLS. Enable use of TLS 1.2 only ciphers when in
DTLS 1.2 mode too.
(cherry picked from commit 4221c0dd3004117c63b182af5e8ab345b7265902)
Add DTLS1.2 support for cached records when computing handshake macs
instead of the MD5+SHA1 case for DTLS < 1.2 (this is a port of the
equivalent TLS 1.2 code to DTLS).
(cherry picked from commit 04fac50045929e7078cad4835478dd7f16b6d4bd)
