1
Description: disallow SSLv2 initialization, and force it disabled even in
3
Author: Kees Cook <kees@ubuntu.com>
4
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589706
6
Index: openssl-0.9.8o/ssl/ssl_lib.c
7
===================================================================
8
--- openssl-0.9.8o.orig/ssl/ssl_lib.c 2010-02-17 20:43:08.000000000 +0100
9
+++ openssl-0.9.8o/ssl/ssl_lib.c 2010-07-19 22:10:51.885282388 +0200
13
case SSL_CTRL_OPTIONS:
14
+ larg|=SSL_OP_NO_SSLv2;
15
return(s->options|=larg);
16
case SSL_CTRL_CLEAR_OPTIONS:
17
+ larg&=~SSL_OP_NO_SSLv2;
18
return(s->options&=~larg);
20
return(s->mode|=larg);
21
@@ -1096,8 +1098,10 @@
22
case SSL_CTRL_SESS_CACHE_FULL:
23
return(ctx->stats.sess_cache_full);
24
case SSL_CTRL_OPTIONS:
25
+ larg|=SSL_OP_NO_SSLv2;
26
return(ctx->options|=larg);
27
case SSL_CTRL_CLEAR_OPTIONS:
28
+ larg&=~SSL_OP_NO_SSLv2;
29
return(ctx->options&=~larg);
31
return(ctx->mode|=larg);
37
+ if (meth == NULL || meth->version <= SSL2_VERSION)
39
SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED);
43
ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
45
+ /* Force no SSLv2 for all methods */
46
+ ret->options |= SSL_OP_NO_SSLv2;
50
SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
51
Index: openssl-0.9.8o/test/testssl
52
===================================================================
53
--- openssl-0.9.8o.orig/test/testssl 2005-02-02 00:48:36.000000000 +0100
54
+++ openssl-0.9.8o/test/testssl 2010-07-19 22:10:51.885282388 +0200
56
#############################################################################
59
-$ssltest -ssl2 $extra || exit 1
60
+$ssltest -ssl2 $extra && exit 1
62
echo test sslv2 with server authentication
63
-$ssltest -ssl2 -server_auth $CA $extra || exit 1
64
+$ssltest -ssl2 -server_auth $CA $extra && exit 1
66
if [ $dsa_cert = NO ]; then
67
echo test sslv2 with client authentication
68
- $ssltest -ssl2 -client_auth $CA $extra || exit 1
69
+ $ssltest -ssl2 -client_auth $CA $extra && exit 1
71
echo test sslv2 with both client and server authentication
72
- $ssltest -ssl2 -server_auth -client_auth $CA $extra || exit 1
73
+ $ssltest -ssl2 -server_auth -client_auth $CA $extra && exit 1
78
$ssltest -server_auth -client_auth $CA $extra || exit 1
80
echo test sslv2 via BIO pair
81
-$ssltest -bio_pair -ssl2 $extra || exit 1
82
+$ssltest -bio_pair -ssl2 $extra && exit 1
84
echo test sslv2 with server authentication via BIO pair
85
-$ssltest -bio_pair -ssl2 -server_auth $CA $extra || exit 1
86
+$ssltest -bio_pair -ssl2 -server_auth $CA $extra && exit 1
88
if [ $dsa_cert = NO ]; then
89
echo test sslv2 with client authentication via BIO pair
90
- $ssltest -bio_pair -ssl2 -client_auth $CA $extra || exit 1
91
+ $ssltest -bio_pair -ssl2 -client_auth $CA $extra && exit 1
93
echo test sslv2 with both client and server authentication via BIO pair
94
- $ssltest -bio_pair -ssl2 -server_auth -client_auth $CA $extra || exit 1
95
+ $ssltest -bio_pair -ssl2 -server_auth -client_auth $CA $extra && exit 1
98
echo test sslv3 via BIO pair
99
Index: openssl-0.9.8o/doc/ssl/SSL_CTX_new.pod
100
===================================================================
101
--- openssl-0.9.8o.orig/doc/ssl/SSL_CTX_new.pod 2010-07-19 22:35:59.305282967 +0200
102
+++ openssl-0.9.8o/doc/ssl/SSL_CTX_new.pod 2010-07-19 22:39:09.324088083 +0200
104
and will also indicate that it only understand SSLv2. A server will only
105
understand SSLv2 client hello messages.
107
+Note: these methods are disabled. The SSLv2 protocol is considered unsafe,
108
+and all attempts to use it will result in the error "null ssl method passed".
110
=item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)
112
A TLS/SSL connection established with these methods will only understand the
113
Index: openssl-0.9.8o/doc/ssl/SSL_CTX_set_options.pod
114
===================================================================
115
--- openssl-0.9.8o.orig/doc/ssl/SSL_CTX_set_options.pod 2010-07-19 22:39:31.044042368 +0200
116
+++ openssl-0.9.8o/doc/ssl/SSL_CTX_set_options.pod 2010-07-19 22:40:34.534120783 +0200
119
Do not use the SSLv2 protocol.
121
+Note: this option is always set and cannot be disabled. SSLv2 is never
124
=item SSL_OP_NO_SSLv3
126
Do not use the SSLv3 protocol.