artulab
projects / openbsd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cea2ef1)
SSL_OP_ALL is supposed to be all options and workarounds that are safe,
authortedu <tedu@openbsd.org>
Mon, 28 Apr 2014 20:05:21 +0000 (20:05 +0000)
committertedu <tedu@openbsd.org>
Mon, 28 Apr 2014 20:05:21 +0000 (20:05 +0000)
but disabling attack mitigations is not safe. 0.9.6d contained a
workaround for an attack against CBC modes. 0.9.6e disabled it by default
because "some" implementations couldn't handle empty fragments. 12 years
have passed. Does anybody still care? Let's find out.
ok miod

lib/libssl/src/ssl/ssl.h patch | blob | history
lib/libssl/ssl.h patch | blob | history

diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h
index 6331601..1276b2f 100644 (file)
--- a/lib/libssl/src/ssl/ssl.h
+++ b/lib/libssl/src/ssl/ssl.h
@@ -546,14 +546,16 @@ struct ssl_session_st {
 
 /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
  * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
- * the workaround is not needed.  Unfortunately some broken SSL/TLS
- * implementations cannot handle it at all, which is why we include
- * it in SSL_OP_ALL. */
+ * the workaround is not needed.
+ * Unfortunately some broken SSL/TLS implementations cannot handle it
+ * at all, which is why it was previously included in SSL_OP_ALL.
+ * Now it's not.
+ */
 #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              0x00000800L /* added in 0.9.6e */
 
 /* SSL_OP_ALL: various bug workarounds that should be rather harmless.
  *             This used to be 0x000FFFFFL before 0.9.7. */
-#define SSL_OP_ALL                                     0x80000BFFL
+#define SSL_OP_ALL                                     0x800004FFL
 
 /* DTLS options */
 #define SSL_OP_NO_QUERY_MTU                 0x00001000L
diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h
index 6331601..1276b2f 100644 (file)
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h
@@ -546,14 +546,16 @@ struct ssl_session_st {
 
 /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
  * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
- * the workaround is not needed.  Unfortunately some broken SSL/TLS
- * implementations cannot handle it at all, which is why we include
- * it in SSL_OP_ALL. */
+ * the workaround is not needed.
+ * Unfortunately some broken SSL/TLS implementations cannot handle it
+ * at all, which is why it was previously included in SSL_OP_ALL.
+ * Now it's not.
+ */
 #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              0x00000800L /* added in 0.9.6e */
 
 /* SSL_OP_ALL: various bug workarounds that should be rather harmless.
  *             This used to be 0x000FFFFFL before 0.9.7. */
-#define SSL_OP_ALL                                     0x80000BFFL
+#define SSL_OP_ALL                                     0x800004FFL
 
 /* DTLS options */
 #define SSL_OP_NO_QUERY_MTU                 0x00001000L
OpenBSD src
by Ahmet Artu Yildirim