From 06da6e49777285f50aeb1b920d950a9bd27fef52 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Lutz=20J=C3=A4nicke?= Date: Fri, 3 Aug 2001 08:45:13 +0000 Subject: [PATCH] Don't disable rollback attack detection as a recommended bug workaround. --- CHANGES | 8 ++++++++ doc/ssl/SSL_CTX_set_options.pod | 28 +++++++++++++++------------- ssl/ssl.h | 6 +++++- 3 files changed, 28 insertions(+), 14 deletions(-) diff --git a/CHANGES b/CHANGES index 0c96da129c..7ec91e58d2 100644 --- a/CHANGES +++ b/CHANGES @@ -12,6 +12,14 @@ *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 +) applies to 0.9.7 only + +) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended + bug workarounds. Rollback attack detection is a security feature. + The problem will only arise on OpenSSL servers, when TLSv1 is not + available (sslv3_server_method() or SSL_OP_NO_TLSv1). + Software authors not wanting to support TLSv1 will have special reasons + for their choice and can explicitly enable this option. + [Bodo Moeller, Lutz Jaenicke] + +) Rationalise EVP so it can be extended: don't include a union of cipher/digest structures, add init/cleanup functions. This also reduces the number of header dependencies. diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index 88304ef7ed..4e7fbaedc8 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -100,18 +100,6 @@ doing a re-connect, always takes the first cipher in the cipher list. ... -=item SSL_OP_TLS_ROLLBACK_BUG - -Disable version rollback attack detection. - -During the client key exchange, the client must send the same information -about acceptable SSL/TLS protocol levels as during the first hello. Some -clients violate this rule by adapting to the server's answer. (Example: -the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server -only understands up to SSLv3. In this case the client must still use the -same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect -to the server's answer and violate the version rollback protection.) - =item SSL_OP_ALL All of the above bug workarounds. @@ -125,6 +113,18 @@ The following B options are available: =over 4 +=item SSL_OP_TLS_ROLLBACK_BUG + +Disable version rollback attack detection. + +During the client key exchange, the client must send the same information +about acceptable SSL/TLS protocol levels as during the first hello. Some +clients violate this rule by adapting to the server's answer. (Example: +the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server +only understands up to SSLv3. In this case the client must still use the +same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect +to the server's answer and violate the version rollback protection.) + =item SSL_OP_SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH parameters @@ -207,6 +207,8 @@ L SSL_OP_CIPHER_SERVER_PREFERENCE has been added in OpenSSL 0.9.7. -SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6. +SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6 and was automatically +enabled with SSL_OP_ALL. As of 0.9.7 it is no longer included in SSL_OP_ALL +and must be explicitely set. =cut diff --git a/ssl/ssl.h b/ssl/ssl.h index dc80ae9e43..8f5d0a4d47 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -332,7 +332,6 @@ typedef struct ssl_session_st #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L #define SSL_OP_TLS_D5_BUG 0x00000100L #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L -#define SSL_OP_TLS_ROLLBACK_BUG 0x00000400L /* If set, always create a new key when using tmp_dh parameters */ #define SSL_OP_SINGLE_DH_USE 0x00100000L @@ -341,6 +340,11 @@ typedef struct ssl_session_st /* Set on servers to choose the cipher according to the server's * preferences */ #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L +/* If set, a server will allow a client to issue a SSLv3.0 version number + * as latest version supported in the premaster secret, even when TLSv1.0 + * (version 3.1) was announced in the client hello. Normally this is + * forbidden to prevent version rollback attacks. */ +#define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L /* The next flag deliberately changes the ciphertest, this is a check * for the PKCS#1 attack */ -- 2.25.1