diff options
author | Lutz Jänicke <jaenicke@openssl.org> | 2001-08-03 08:45:13 +0000 |
---|---|---|
committer | Lutz Jänicke <jaenicke@openssl.org> | 2001-08-03 08:45:13 +0000 |
commit | 06da6e49777285f50aeb1b920d950a9bd27fef52 (patch) | |
tree | 8d3eb57e387c364ecda0abe54a24acc33e80c1b5 /doc | |
parent | b72faddc47811846d1cf28f04db2bd38422d9006 (diff) |
Don't disable rollback attack detection as a recommended bug workaround.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/ssl/SSL_CTX_set_options.pod | 28 |
1 files changed, 15 insertions, 13 deletions
diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index 88304ef7ed..4e7fbaedc8 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -100,18 +100,6 @@ doing a re-connect, always takes the first cipher in the cipher list. ... -=item SSL_OP_TLS_ROLLBACK_BUG - -Disable version rollback attack detection. - -During the client key exchange, the client must send the same information -about acceptable SSL/TLS protocol levels as during the first hello. Some -clients violate this rule by adapting to the server's answer. (Example: -the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server -only understands up to SSLv3. In this case the client must still use the -same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect -to the server's answer and violate the version rollback protection.) - =item SSL_OP_ALL All of the above bug workarounds. @@ -125,6 +113,18 @@ The following B<modifying> options are available: =over 4 +=item SSL_OP_TLS_ROLLBACK_BUG + +Disable version rollback attack detection. + +During the client key exchange, the client must send the same information +about acceptable SSL/TLS protocol levels as during the first hello. Some +clients violate this rule by adapting to the server's answer. (Example: +the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server +only understands up to SSLv3. In this case the client must still use the +same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect +to the server's answer and violate the version rollback protection.) + =item SSL_OP_SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH parameters @@ -207,6 +207,8 @@ L<dhparam(1)|dhparam(1)> SSL_OP_CIPHER_SERVER_PREFERENCE has been added in OpenSSL 0.9.7. -SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6. +SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6 and was automatically +enabled with SSL_OP_ALL. As of 0.9.7 it is no longer included in SSL_OP_ALL +and must be explicitely set. =cut |