diff options
| author | Matt Caswell <matt@openssl.org> | 2017-04-12 17:02:42 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2017-04-24 16:15:40 +0100 |
| commit | 8af91fd9d08487e0dffb6ccac5f42633c964f3f0 (patch) | |
| tree | a10e449c9918e9264f91d93e25f597ebbcaf37b5 /ssl/t1_lib.c | |
| parent | dd94c37a5c2f783102b125c620000b9719c662d3 (diff) | |
Don't fail the connection in SSLv3 if server selects ECDHE
ECDHE is not properly defined for SSLv3. Commit fe55c4a2 prevented ECDHE
from being selected in that protocol. However, historically, servers do
still select ECDHE anyway so that commit causes interoperability problems.
Clients that previously worked when talking to an SSLv3 server could now
fail.
This commit introduces an exception which enables a client to continue in
SSLv3 if the server selected ECDHE.
[extended tests]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3204)
Diffstat (limited to 'ssl/t1_lib.c')
| -rw-r--r-- | ssl/t1_lib.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 698c25b46f..5007f7ebb3 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1034,19 +1034,31 @@ void ssl_set_client_disabled(SSL *s) * @s: SSL connection that you want to use the cipher on * @c: cipher to check * @op: Security check that you want to do + * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3 * * Returns 1 when it's disabled, 0 when enabled. */ -int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op) +int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe) { if (c->algorithm_mkey & s->s3->tmp.mask_k || c->algorithm_auth & s->s3->tmp.mask_a) return 1; if (s->s3->tmp.max_ver == 0) return 1; - if (!SSL_IS_DTLS(s) && ((c->min_tls > s->s3->tmp.max_ver) - || (c->max_tls < s->s3->tmp.min_ver))) - return 1; + if (!SSL_IS_DTLS(s)) { + int min_tls = c->min_tls; + + /* + * For historical reasons we will allow ECHDE to be selected by a server + * in SSLv3 if we are a client + */ + if (min_tls == TLS1_VERSION && ecdhe + && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0) + min_tls = SSL3_VERSION; + + if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver)) + return 1; + } if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver) || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver))) return 1; |