[ipfire-2.x.git] / src / patches / openssl-1.1.0-disable-ssl3.patch

diff -up openssl-1.1.0f/apps/s_client.c.disable-ssl3 openssl-1.1.0f/apps/s_client.c
--- openssl-1.1.0f/apps/s_client.c.disable-ssl3	2017-06-05 15:42:44.838853312 +0200
+++ openssl-1.1.0f/apps/s_client.c	2017-07-17 14:50:06.468821871 +0200
@@ -1486,6 +1486,9 @@ int s_client_main(int argc, char **argv)
     if (sdebug)
         ssl_ctx_security_debug(ctx, sdebug);
 
+    if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
+        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
+
     if (ssl_config) {
         if (SSL_CTX_config(ctx, ssl_config) == 0) {
             BIO_printf(bio_err, "Error using configuration \"%s\"\n",
diff -up openssl-1.1.0f/apps/s_server.c.disable-ssl3 openssl-1.1.0f/apps/s_server.c
--- openssl-1.1.0f/apps/s_server.c.disable-ssl3	2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/apps/s_server.c	2017-07-17 14:49:50.434447583 +0200
@@ -1614,6 +1614,10 @@ int s_server_main(int argc, char *argv[]
     }
     if (sdebug)
         ssl_ctx_security_debug(ctx, sdebug);
+
+    if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
+        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
+
     if (ssl_config) {
         if (SSL_CTX_config(ctx, ssl_config) == 0) {
             BIO_printf(bio_err, "Error using configuration \"%s\"\n",
diff -up openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0/ssl/ssl_lib.c
--- openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3	2016-08-25 17:29:22.000000000 +0200
+++ openssl-1.1.0/ssl/ssl_lib.c	2016-09-08 11:08:05.252082263 +0200
@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
      * or by using the SSL_CONF library.
      */
     ret->options |= SSL_OP_NO_COMPRESSION;
+    /*
+     * Disable SSLv3 by default.  Applications can
+     * re-enable it by configuring
+     * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
+     * or by using the SSL_CONF library.
+     */
+    ret->options |= SSL_OP_NO_SSLv3;
 
     ret->tlsext_status_type = -1;
 
diff -up openssl-1.1.0/test/ssl_test.c.disable-ssl3 openssl-1.1.0/test/ssl_test.c
--- openssl-1.1.0/test/ssl_test.c.disable-ssl3	2016-09-08 11:08:05.252082263 +0200
+++ openssl-1.1.0/test/ssl_test.c	2016-09-08 11:11:44.802005886 +0200
@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE
             SSL_TEST_SERVERNAME_CB_NONE) {
             server2_ctx = SSL_CTX_new(TLS_server_method());
             TEST_check(server2_ctx != NULL);
+            SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
         }
         client_ctx = SSL_CTX_new(TLS_client_method());
 
@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE
             resume_client_ctx = SSL_CTX_new(TLS_client_method());
             TEST_check(resume_server_ctx != NULL);
             TEST_check(resume_client_ctx != NULL);
+            SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
+            SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
         }
     }
 
     TEST_check(server_ctx != NULL);
     TEST_check(client_ctx != NULL);
+    SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
+    SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
 
     TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
 
diff -up openssl-1.1.0/test/ssltest_old.c.disable-ssl3 openssl-1.1.0/test/ssltest_old.c
--- openssl-1.1.0/test/ssltest_old.c.disable-ssl3	2016-08-25 17:29:23.000000000 +0200
+++ openssl-1.1.0/test/ssltest_old.c	2016-09-08 11:08:05.253082286 +0200
@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[])
         ERR_print_errors(bio_err);
         goto end;
     }
+
+    SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
+    SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
+    SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
+
     /*
      * Since we will use low security ciphersuites and keys for testing set
      * security level to zero by default. Tests can override this by adding
Commit	Line	Data
5a9bbaa9 MT	1	diff -up openssl-1.1.0f/apps/s_client.c.disable-ssl3 openssl-1.1.0f/apps/s_client.c
	2	--- openssl-1.1.0f/apps/s_client.c.disable-ssl3 2017-06-05 15:42:44.838853312 +0200
	3	+++ openssl-1.1.0f/apps/s_client.c 2017-07-17 14:50:06.468821871 +0200
	4	@@ -1486,6 +1486,9 @@ int s_client_main(int argc, char **argv)
	5	if (sdebug)
	6	ssl_ctx_security_debug(ctx, sdebug);
	7
	8	+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
	9	+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
	10	+
	11	if (ssl_config) {
	12	if (SSL_CTX_config(ctx, ssl_config) == 0) {
	13	BIO_printf(bio_err, "Error using configuration \"%s\"\n",
	14	diff -up openssl-1.1.0f/apps/s_server.c.disable-ssl3 openssl-1.1.0f/apps/s_server.c
	15	--- openssl-1.1.0f/apps/s_server.c.disable-ssl3 2017-05-25 14:46:18.000000000 +0200
	16	+++ openssl-1.1.0f/apps/s_server.c 2017-07-17 14:49:50.434447583 +0200
	17	@@ -1614,6 +1614,10 @@ int s_server_main(int argc, char *argv[]
	18	}
	19	if (sdebug)
	20	ssl_ctx_security_debug(ctx, sdebug);
	21	+
	22	+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
	23	+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
	24	+
	25	if (ssl_config) {
	26	if (SSL_CTX_config(ctx, ssl_config) == 0) {
	27	BIO_printf(bio_err, "Error using configuration \"%s\"\n",
	28	diff -up openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0/ssl/ssl_lib.c
	29	--- openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 2016-08-25 17:29:22.000000000 +0200
	30	+++ openssl-1.1.0/ssl/ssl_lib.c 2016-09-08 11:08:05.252082263 +0200
	31	@@ -2470,6 +2470,13 @@ SSL_CTX SSL_CTX_new(const SSL_METHOD m
	32	* or by using the SSL_CONF library.
	33	*/
	34	ret->options \|= SSL_OP_NO_COMPRESSION;
	35	+ /*
	36	+ * Disable SSLv3 by default. Applications can
	37	+ * re-enable it by configuring
	38	+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
	39	+ * or by using the SSL_CONF library.
	40	+ */
	41	+ ret->options \|= SSL_OP_NO_SSLv3;
	42
	43	ret->tlsext_status_type = -1;
	44
	45	diff -up openssl-1.1.0/test/ssl_test.c.disable-ssl3 openssl-1.1.0/test/ssl_test.c
	46	--- openssl-1.1.0/test/ssl_test.c.disable-ssl3 2016-09-08 11:08:05.252082263 +0200
	47	+++ openssl-1.1.0/test/ssl_test.c 2016-09-08 11:11:44.802005886 +0200
	48	@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE
	49	SSL_TEST_SERVERNAME_CB_NONE) {
	50	server2_ctx = SSL_CTX_new(TLS_server_method());
	51	TEST_check(server2_ctx != NULL);
	52	+ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
	53	}
	54	client_ctx = SSL_CTX_new(TLS_client_method());
	55
	56	@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE
	57	resume_client_ctx = SSL_CTX_new(TLS_client_method());
	58	TEST_check(resume_server_ctx != NULL);
	59	TEST_check(resume_client_ctx != NULL);
	60	+ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
	61	+ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
	62	}
	63	}
	64
65	TEST_check(server_ctx != NULL);
66	TEST_check(client_ctx != NULL);
67	+ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
68	+ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
69
70	TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
71
72	diff -up openssl-1.1.0/test/ssltest_old.c.disable-ssl3 openssl-1.1.0/test/ssltest_old.c
73	--- openssl-1.1.0/test/ssltest_old.c.disable-ssl3 2016-08-25 17:29:23.000000000 +0200
74	+++ openssl-1.1.0/test/ssltest_old.c 2016-09-08 11:08:05.253082286 +0200
75	@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[])
76	ERR_print_errors(bio_err);
77	goto end;
78	}
79	+
80	+ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
81	+ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
82	+ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
83	+
84	/*
85	* Since we will use low security ciphersuites and keys for testing set
86	* security level to zero by default. Tests can override this by adding