]>
Commit | Line | Data |
---|---|---|
5a9bbaa9 MT |
1 | diff -up openssl-1.1.0f/apps/s_client.c.disable-ssl3 openssl-1.1.0f/apps/s_client.c |
2 | --- openssl-1.1.0f/apps/s_client.c.disable-ssl3 2017-06-05 15:42:44.838853312 +0200 | |
3 | +++ openssl-1.1.0f/apps/s_client.c 2017-07-17 14:50:06.468821871 +0200 | |
4 | @@ -1486,6 +1486,9 @@ int s_client_main(int argc, char **argv) | |
5 | if (sdebug) | |
6 | ssl_ctx_security_debug(ctx, sdebug); | |
7 | ||
8 | + if (min_version == SSL3_VERSION && max_version == SSL3_VERSION) | |
9 | + SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); | |
10 | + | |
11 | if (ssl_config) { | |
12 | if (SSL_CTX_config(ctx, ssl_config) == 0) { | |
13 | BIO_printf(bio_err, "Error using configuration \"%s\"\n", | |
14 | diff -up openssl-1.1.0f/apps/s_server.c.disable-ssl3 openssl-1.1.0f/apps/s_server.c | |
15 | --- openssl-1.1.0f/apps/s_server.c.disable-ssl3 2017-05-25 14:46:18.000000000 +0200 | |
16 | +++ openssl-1.1.0f/apps/s_server.c 2017-07-17 14:49:50.434447583 +0200 | |
17 | @@ -1614,6 +1614,10 @@ int s_server_main(int argc, char *argv[] | |
18 | } | |
19 | if (sdebug) | |
20 | ssl_ctx_security_debug(ctx, sdebug); | |
21 | + | |
22 | + if (min_version == SSL3_VERSION && max_version == SSL3_VERSION) | |
23 | + SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); | |
24 | + | |
25 | if (ssl_config) { | |
26 | if (SSL_CTX_config(ctx, ssl_config) == 0) { | |
27 | BIO_printf(bio_err, "Error using configuration \"%s\"\n", | |
28 | diff -up openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0/ssl/ssl_lib.c | |
29 | --- openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 2016-08-25 17:29:22.000000000 +0200 | |
30 | +++ openssl-1.1.0/ssl/ssl_lib.c 2016-09-08 11:08:05.252082263 +0200 | |
31 | @@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m | |
32 | * or by using the SSL_CONF library. | |
33 | */ | |
34 | ret->options |= SSL_OP_NO_COMPRESSION; | |
35 | + /* | |
36 | + * Disable SSLv3 by default. Applications can | |
37 | + * re-enable it by configuring | |
38 | + * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); | |
39 | + * or by using the SSL_CONF library. | |
40 | + */ | |
41 | + ret->options |= SSL_OP_NO_SSLv3; | |
42 | ||
43 | ret->tlsext_status_type = -1; | |
44 | ||
45 | diff -up openssl-1.1.0/test/ssl_test.c.disable-ssl3 openssl-1.1.0/test/ssl_test.c | |
46 | --- openssl-1.1.0/test/ssl_test.c.disable-ssl3 2016-09-08 11:08:05.252082263 +0200 | |
47 | +++ openssl-1.1.0/test/ssl_test.c 2016-09-08 11:11:44.802005886 +0200 | |
48 | @@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE | |
49 | SSL_TEST_SERVERNAME_CB_NONE) { | |
50 | server2_ctx = SSL_CTX_new(TLS_server_method()); | |
51 | TEST_check(server2_ctx != NULL); | |
52 | + SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3); | |
53 | } | |
54 | client_ctx = SSL_CTX_new(TLS_client_method()); | |
55 | ||
56 | @@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE | |
57 | resume_client_ctx = SSL_CTX_new(TLS_client_method()); | |
58 | TEST_check(resume_server_ctx != NULL); | |
59 | TEST_check(resume_client_ctx != NULL); | |
60 | + SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3); | |
61 | + SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3); | |
62 | } | |
63 | } | |
64 | ||
65 | TEST_check(server_ctx != NULL); | |
66 | TEST_check(client_ctx != NULL); | |
67 | + SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3); | |
68 | + SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3); | |
69 | ||
70 | TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0); | |
71 | ||
72 | diff -up openssl-1.1.0/test/ssltest_old.c.disable-ssl3 openssl-1.1.0/test/ssltest_old.c | |
73 | --- openssl-1.1.0/test/ssltest_old.c.disable-ssl3 2016-08-25 17:29:23.000000000 +0200 | |
74 | +++ openssl-1.1.0/test/ssltest_old.c 2016-09-08 11:08:05.253082286 +0200 | |
75 | @@ -1456,6 +1456,11 @@ int main(int argc, char *argv[]) | |
76 | ERR_print_errors(bio_err); | |
77 | goto end; | |
78 | } | |
79 | + | |
80 | + SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3); | |
81 | + SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3); | |
82 | + SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3); | |
83 | + | |
84 | /* | |
85 | * Since we will use low security ciphersuites and keys for testing set | |
86 | * security level to zero by default. Tests can override this by adding |