From 3142c86d65a7da76d60622dcf1c177479d1bc9de Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 23 Feb 2000 01:11:01 +0000 Subject: [PATCH] Allow ADH to be used but not present in the default cipher list. Allow CERTIFICATE to be used in PEM headers for PKCS#7 structures: some CAs do this. --- CHANGES | 10 ++++++++++ crypto/pem/pem_lib.c | 4 ++++ doc/apps/ciphers.pod | 5 +++-- doc/apps/pkcs7.pod | 12 ++++++++++++ ssl/ssl.h | 5 ----- ssl/ssl_lib.c | 2 -- 6 files changed, 29 insertions(+), 9 deletions(-) diff --git a/CHANGES b/CHANGES index cfaa9770b8..d3be5308a8 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,16 @@ Changes between 0.9.4 and 0.9.5 [xx XXX 2000] + *) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures. + Some CAs (e.g. Verisign) distribute certificates in this form. + [Steve Henson] + + *) Remove the SSL_ALLOW_ADH compile option and set the default cipher + list to exclude them. This means that no special compilation option + is needed to use anonymous DH: it just needs to be included in the + cipher list. + [Steve Henson] + *) Change the EVP_MD_CTX_type macro so its meaning consistent with EVP_MD_type. The old functionality is available in a new macro called EVP_MD_md(). Change code that uses it and update docs. diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index 1b441d7852..072211ba0f 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -217,6 +217,10 @@ static int check_pem(const char *nm, const char *name) if(!strcmp(nm,PEM_STRING_X509_OLD) && !strcmp(name,PEM_STRING_X509_TRUSTED)) return 1; + /* Some CAs use PKCS#7 with CERTIFICATE headers */ + if(!strcmp(nm, PEM_STRING_X509) && + !strcmp(name, PEM_STRING_PKCS7)) return 1; + return 0; } diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index 2ca55b0cc9..2301e28251 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -101,7 +101,8 @@ The following is a list of all permitted cipher strings and their meanings. =item B the default cipher list. This is determined at compile time and is normally -B. This must be the first cipher string specified. +B. This must be the first cipher string +specified. =item B @@ -143,7 +144,7 @@ included. the cipher suites offering no authentication. This is currently the anonymous DH algorithms. These cipher suites are vulnerable to a "man in the middle" -attack and so there use is normally discouraged. +attack and so their use is normally discouraged. =item B, B diff --git a/doc/apps/pkcs7.pod b/doc/apps/pkcs7.pod index b721e395a2..4e9bd6e46b 100644 --- a/doc/apps/pkcs7.pod +++ b/doc/apps/pkcs7.pod @@ -71,6 +71,18 @@ Output all certificates in a file: openssl pkcs7 -in file.pem -print_certs -out certs.pem +=head1 NOTES + +The PEM PKCS#7 format uses the header and footer lines: + + -----BEGIN PKCS7----- + -----END PKCS7----- + +For compatability with some CAs it will also accept: + + -----BEGIN CERTIFICATE----- + -----END CERTIFICATE----- + =head1 RESTRICTIONS There is no option to print out all the fields of a PKCS#7 file. diff --git a/ssl/ssl.h b/ssl/ssl.h index 040304b774..6f2454cece 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -134,12 +134,7 @@ extern "C" { /* 'DEFAULT' at the start of the cipher list insert the following string * in addition to this being the default cipher string */ -#ifndef NO_RSA #define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH" -#else -#define SSL_ALLOW_ADH -#define SSL_DEFAULT_CIPHER_LIST "ALL:ADH+3DES:ADH+RC4:ADH+DES:@STRENGTH" -#endif /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ #define SSL_SENT_SHUTDOWN 1 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index f09e46c346..5af71b5545 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1367,10 +1367,8 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher) emask|=SSL_aDSS; } -#ifdef SSL_ALLOW_ADH mask|=SSL_aNULL; emask|=SSL_aNULL; -#endif c->mask=mask; c->export_mask=emask; -- 2.25.1