diff options
author | Yang Tse <yangsita@gmail.com> | 2012-01-18 04:33:49 +0100 |
---|---|---|
committer | Yang Tse <yangsita@gmail.com> | 2012-01-18 11:59:20 +0100 |
commit | a20daf90e358c1476a325ea665d533f7a27e3364 (patch) | |
tree | d78d7d5e27923961a01d0f2dbd3b63aa279258e6 /lib/ssluse.c | |
parent | 24526d0c0f4209eb77c807afdb15da301c7d021b (diff) | |
download | curl-a20daf90e358c1476a325ea665d533f7a27e3364.tar.gz |
OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is no longer enabled
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed successfull
interoperability with web server Netscape Enterprise Server 2.0.1 released
back in 1996 more than 15 years ago.
Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has
become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
CVE-2010-4180 when using previous OpenSSL versions we no longer enable
this option regardless of OpenSSL version and SSL_OP_ALL definition.
Diffstat (limited to 'lib/ssluse.c')
-rw-r--r-- | lib/ssluse.c | 28 |
1 files changed, 21 insertions, 7 deletions
diff --git a/lib/ssluse.c b/lib/ssluse.c index 975ab8cf6..b09ba6db7 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1425,6 +1425,7 @@ ossl_connect_step1(struct connectdata *conn, X509_LOOKUP *lookup=NULL; curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + long ctx_options; #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME bool sni; #ifdef ENABLE_IPV6 @@ -1530,20 +1531,33 @@ ossl_connect_step1(struct connectdata *conn, If someone writes an application with libcurl and openssl who wants to enable the feature, one can do this in the SSL callback. + SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed proper + interoperability with web server Netscape Enterprise Server 2.0.1 which + was released back in 1996. + + Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has + become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate + CVE-2010-4180 when using previous OpenSSL versions we no longer enable + this option regardless of OpenSSL version and SSL_OP_ALL definition. */ + + ctx_options = SSL_OP_ALL; + #ifdef SSL_OP_NO_TICKET - /* expect older openssl releases to not have this define so only use it if - present */ -#define CURL_CTX_OPTIONS SSL_OP_ALL|SSL_OP_NO_TICKET -#else -#define CURL_CTX_OPTIONS SSL_OP_ALL + ctx_options |= SSL_OP_NO_TICKET; #endif - SSL_CTX_set_options(connssl->ctx, CURL_CTX_OPTIONS); +#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && \ + (SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG == 0x00000008L) + /* mitigate CVE-2010-4180 */ + ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; +#endif /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) - SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2); + ctx_options |= SSL_OP_NO_SSLv2; + + SSL_CTX_set_options(connssl->ctx, ctx_options); #if 0 /* |