Disable SSLv2 cipher suites by default and avoid SSLv2 compatible client

hello if no SSLv2 cipher suites are included. This effectively disables the broken SSLv2 use by default.
author: Dr. Stephen Henson <steve@openssl.org> 2009-04-07 17:01:07 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2009-04-07 17:01:07 +0000
commit: 9ae5743515f88f481c0e1075c21404e67d9cc197 (patch)
tree: 208d8375f419e4da15dc8eb9f40e181b7e99320e /ssl/s23_clnt.c
parent: c184b140df83ef5e91abf3e1d405059f898269d6 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 0912528f89..a71311e716 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -250,6 +250,20 @@ end:
 	return(ret);
 	}
 
+static int ssl23_no_ssl2_ciphers(SSL *s)
+	{
+	SSL_CIPHER *cipher;
+	STACK_OF(SSL_CIPHER) *ciphers;
+	int i;
+	ciphers = SSL_get_ciphers(s);
+	for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++)
+		{
+		cipher = sk_SSL_CIPHER_value(ciphers, i);
+		if (cipher->algorithm_ssl == SSL_SSLV2)
+			return 0;
+		}
+	return 1;
+	}
 
 static int ssl23_client_hello(SSL *s)
 	{
@@ -264,6 +278,9 @@ static int ssl23_client_hello(SSL *s)
 
 	ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1;
 
+	if (ssl2_compat && ssl23_no_ssl2_ciphers(s))
+		ssl2_compat = 0;
+
 	if (!(s->options & SSL_OP_NO_TLSv1))
 		{
 		version = TLS1_VERSION;
author	Dr. Stephen Henson <steve@openssl.org>	2009-04-07 17:01:07 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2009-04-07 17:01:07 +0000
commit	9ae5743515f88f481c0e1075c21404e67d9cc197 (patch)
tree	208d8375f419e4da15dc8eb9f40e181b7e99320e /ssl/s23_clnt.c
parent	c184b140df83ef5e91abf3e1d405059f898269d6 (diff)