diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2009-04-07 17:01:07 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2009-04-07 17:01:07 +0000 |
commit | 9ae5743515f88f481c0e1075c21404e67d9cc197 (patch) | |
tree | 208d8375f419e4da15dc8eb9f40e181b7e99320e /ssl/s23_clnt.c | |
parent | c184b140df83ef5e91abf3e1d405059f898269d6 (diff) |
Disable SSLv2 cipher suites by default and avoid SSLv2 compatible client
hello if no SSLv2 cipher suites are included. This effectively disables
the broken SSLv2 use by default.
Diffstat (limited to 'ssl/s23_clnt.c')
-rw-r--r-- | ssl/s23_clnt.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 0912528f89..a71311e716 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -250,6 +250,20 @@ end: return(ret); } +static int ssl23_no_ssl2_ciphers(SSL *s) + { + SSL_CIPHER *cipher; + STACK_OF(SSL_CIPHER) *ciphers; + int i; + ciphers = SSL_get_ciphers(s); + for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) + { + cipher = sk_SSL_CIPHER_value(ciphers, i); + if (cipher->algorithm_ssl == SSL_SSLV2) + return 0; + } + return 1; + } static int ssl23_client_hello(SSL *s) { @@ -264,6 +278,9 @@ static int ssl23_client_hello(SSL *s) ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1; + if (ssl2_compat && ssl23_no_ssl2_ciphers(s)) + ssl2_compat = 0; + if (!(s->options & SSL_OP_NO_TLSv1)) { version = TLS1_VERSION; |