Disable SSLv2 default build, default negotiation and weak ciphers.

SSLv2 is by default disabled at build-time.  Builds that are not
configured with "enable-ssl2" will not support SSLv2.  Even if
"enable-ssl2" is used, users who want to negotiate SSLv2 via the
version-flexible SSLv23_method() will need to explicitly call either
of:

    SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
    SSL_clear_options(ssl, SSL_OP_NO_SSLv2);

as appropriate.  Even if either of those is used, or the application
explicitly uses the version-specific SSLv2_method() or its client
or server variants, SSLv2 ciphers vulnerable to exhaustive search
key recovery have been removed.  Specifically, the SSLv2 40-bit
EXPORT ciphers, and SSLv2 56-bit DES are no longer available.

Mitigation for CVE-2016-0800

Reviewed-by: Emilia Käsper <emilia@openssl.org>

diff --git a/CHANGES b/CHANGES
index b95a3ed33f9a47d8816d170f3ac421427a27714a..f209b3e0d3edb97b7ef48e9378f25f3471b42250 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,23 @@
 
  Changes between 1.0.1r and 1.0.1s [xx XXX xxxx]
 
+  * Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
+    is by default disabled at build-time.  Builds that are not configured with
+    "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
+    users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
+    will need to explicitly call either of:
+
+        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
+    or
+        SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
+
+    as appropriate.  Even if either of those is used, or the application
+    explicitly uses the version-specific SSLv2_method() or its client and
+    server variants, SSLv2 ciphers vulnerable to exhaustive search key
+    recovery have been removed.  Specifically, the SSLv2 40-bit EXPORT
+    ciphers, and SSLv2 56-bit DES are no longer available.
+    [Viktor Dukhovni]
+
   *) Disable SRP fake user seed to address a server memory leak.
 
      Add a new method SRP_VBASE_get1_by_user that handles the seed properly.

diff --git a/Configure b/Configure
index 0a5ffac750fa561ac88eb92e5378d97c5a621850..ea74c91537c5234beac6cb0655772fd189b2cc89 100755 (executable)
--- a/Configure
+++ b/Configure
@@ -724,8 +724,9 @@ my %disabled = ( # "what"         => "comment" [or special keyword "experimental
                 "md2"            => "default",
                 "rc5"            => "default",
                 "rfc3779"        => "default",
-                "sctp"       => "default",
+                "sctp"           => "default",
                 "shared"         => "default",
+                "ssl2"           => "default",
                 "store"          => "experimental",
                 "unit-test"      => "default",
                 "zlib"           => "default",

diff --git a/NEWS b/NEWS
index 43405541d4b681ca19e0a4aa857af59dd748f83b..ce256aeb6af8031ddff13744230879a2bd2e0826 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,7 @@
 
   Major changes between OpenSSL 1.0.1r and OpenSSL 1.0.1s [under development]
 
-      o
+      o Disable SSLv2 default build, default negotiation and weak ciphers.
 
   Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [28 Jan 2016]
 

diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
index 7e3674a685fb9162077fc2c5892c450ba2a564c0..82c17315498053a3af9e4ad616382829ef68aaa3 100644 (file)
--- a/ssl/s2_lib.c
+++ b/ssl/s2_lib.c
@@ -156,6 +156,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
      128,
      },
 
+# if 0
 /* RC4_128_EXPORT40_WITH_MD5 */
     {
      1,
@@ -171,6 +172,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
      40,
      128,
      },
+# endif
 
 /* RC2_128_CBC_WITH_MD5 */
     {
@@ -188,6 +190,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
      128,
      },
 
+# if 0
 /* RC2_128_CBC_EXPORT40_WITH_MD5 */
     {
      1,
@@ -203,6 +206,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
      40,
      128,
      },
+# endif
 
 # ifndef OPENSSL_NO_IDEA
 /* IDEA_128_CBC_WITH_MD5 */
@@ -222,6 +226,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
      },
 # endif
 
+# if 0
 /* DES_64_CBC_WITH_MD5 */
     {
      1,
@@ -237,6 +242,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
      56,
      56,
      },
+# endif
 
 /* DES_192_EDE3_CBC_WITH_MD5 */
     {

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 93d1cbe438e443c4a7348c37fc1674991e87c3d1..33c52ac5bf03ae0eed6e486186aaa529fab65996 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1896,6 +1896,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
      */
     ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
 
+    /*
+     * Disable SSLv2 by default, callers that want to enable SSLv2 will have to
+     * explicitly clear this option via either of SSL_CTX_clear_options() or
+     * SSL_clear_options().
+     */
+    ret->options |= SSL_OP_NO_SSLv2;
+
     return (ret);
  err:
     SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);