In theory, TLS v1 ciphersuites are not the same as SSL v3 ciphersuites

diff --git a/CHANGES b/CHANGES
index 4269015fa046decb35193ea7415678e6a0e17e04..aa2081519867d72983c14b924d852347b3c2be98 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,12 @@
 
  Changes between 0.9.5a and 0.9.6  [xx XXX 2000]
 
+  *) Add '-tls1' option to 'openssl ciphers', which was already
+     mentioned in the documentation but had not been implemented.
+     (This option is not yet really useful because even the additional
+     experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.)
+     [Bodo Moeller]
+
   *) Initial DSO code added into libcrypto for letting OpenSSL (and
      OpenSSL-based applications) load shared libraries and bind to
      them in a portable way.

diff --git a/apps/ciphers.c b/apps/ciphers.c
index f8e9e7be2e6d5053f55edc49b990b2638a11e2c0..72b2009e1874e70d33223bb836888e54e4ec8212 100644 (file)
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -74,6 +74,7 @@ static char *ciphers_usage[]={
 " -v          - verbose mode, a textual listing of the ciphers in SSLeay\n",
 " -ssl2       - SSL2 mode\n",
 " -ssl3       - SSL3 mode\n",
+" -tls1       - TLS1 mode\n",
 NULL
 };
 
@@ -121,6 +122,10 @@ int MAIN(int argc, char **argv)
 #ifndef NO_SSL3
                else if (strcmp(*argv,"-ssl3") == 0)
                        meth=SSLv3_client_method();
+#endif
+#ifndef NO_TLS1
+               else if (strcmp(*argv,"-tls1") == 0)
+                       meth=TLSv1_client_method();
 #endif
                else if ((strncmp(*argv,"-h",2) == 0) ||
                         (strcmp(*argv,"-?") == 0))

diff --git a/ssl/tls1.h b/ssl/tls1.h
index 6e2b06d34f71ef043438f0ba8dd79d47316fd7f1..cf92ae034f0bd9ce82aebc1f77e75723718b9d02 100644 (file)
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -84,6 +84,10 @@ extern "C" {
 #define TLS1_AD_USER_CANCELLED         90
 #define TLS1_AD_NO_RENEGOTIATION       100
 
+/* Additional TLS ciphersuites from draft-ietf-tls-56-bit-ciphersuites-00.txt
+ * (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see
+ * s3_lib.c).  We actually treat them like SSL 3.0 ciphers, which we probably
+ * shouldn't. */
 #define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5         0x03000060
 #define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5     0x03000061
 #define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA                0x03000062
@@ -92,6 +96,13 @@ extern "C" {
 #define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA     0x03000065
 #define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA               0x03000066
 
+/* XXX
+ * Inconsistency alert:
+ * The OpenSSL names of ciphers with ephemeral DH here include the string
+ * "DHE", while elsewhere it has always been "EDH".
+ * (The alias for the list of all such ciphers also is "EDH".)
+ * The specifications speak of "EDH"; maybe we should allow both forms
+ * for everything. */
 #define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5                "EXP1024-RC4-MD5"
 #define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5    "EXP1024-RC2-CBC-MD5"
 #define TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA       "EXP1024-DES-CBC-SHA"