diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2014-10-29 12:51:31 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2014-11-19 22:54:30 +0000 |
commit | 017a15cbd290a6fd008f19d1873071f36a624b1b (patch) | |
tree | 3f788ea0d890eb3a13b9c973064cf544cc50d7ad /ssl | |
parent | 786370b1b09b919d9306f27336e13783e4fe3fd0 (diff) |
New option no-ssl3-method which removes SSLv3_*method
When no-ssl3 is set only make SSLv3 disabled by default. Retain -ssl3
options for s_client/s_server/ssltest.
When no-ssl3-method is set SSLv3_*method() is removed and all -ssl3
options.
We should document this somewhere, e.g. wiki, FAQ or manual page.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 3881d8106df732fc433d30446625dfa2396da42d)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/s3_clnt.c | 3 | ||||
-rw-r--r-- | ssl/s3_meth.c | 5 | ||||
-rw-r--r-- | ssl/s3_srvr.c | 12 | ||||
-rw-r--r-- | ssl/ssl.h | 2 | ||||
-rw-r--r-- | ssl/ssltest.c | 4 |
5 files changed, 15 insertions, 11 deletions
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 7d7af4b453..3c270fee2d 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -167,9 +167,9 @@ #include <openssl/engine.h> #endif -static const SSL_METHOD *ssl3_get_client_method(int ver); static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); +#ifndef OPENSSL_NO_SSL3_METHOD static const SSL_METHOD *ssl3_get_client_method(int ver) { if (ver == SSL3_VERSION) @@ -182,6 +182,7 @@ IMPLEMENT_ssl3_meth_func(SSLv3_client_method, ssl_undefined_function, ssl3_connect, ssl3_get_client_method) +#endif int ssl3_connect(SSL *s) { diff --git a/ssl/s3_meth.c b/ssl/s3_meth.c index cdddb17b62..4dec7033d6 100644 --- a/ssl/s3_meth.c +++ b/ssl/s3_meth.c @@ -60,7 +60,7 @@ #include <openssl/objects.h> #include "ssl_locl.h" -static const SSL_METHOD *ssl3_get_method(int ver); +#ifndef OPENSSL_NO_SSL3_METHOD static const SSL_METHOD *ssl3_get_method(int ver) { if (ver == SSL3_VERSION) @@ -73,5 +73,4 @@ IMPLEMENT_ssl3_meth_func(SSLv3_method, ssl3_accept, ssl3_connect, ssl3_get_method) - - +#endif diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index cb003a5391..4914838847 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -170,6 +170,7 @@ #endif #include <openssl/md5.h> +#ifndef OPENSSL_NO_SSL3_METHOD static const SSL_METHOD *ssl3_get_server_method(int ver); static const SSL_METHOD *ssl3_get_server_method(int ver) @@ -180,6 +181,12 @@ static const SSL_METHOD *ssl3_get_server_method(int ver) return(NULL); } +IMPLEMENT_ssl3_meth_func(SSLv3_server_method, + ssl3_accept, + ssl_undefined_function, + ssl3_get_server_method) +#endif + #ifndef OPENSSL_NO_SRP static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) { @@ -206,11 +213,6 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) } #endif -IMPLEMENT_ssl3_meth_func(SSLv3_server_method, - ssl3_accept, - ssl_undefined_function, - ssl3_get_server_method) - int ssl3_accept(SSL *s) { BUF_MEM *buf; @@ -2222,9 +2222,11 @@ const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */ const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */ #endif +#ifndef OPENSSL_NO_SSL3_METHOD const SSL_METHOD *SSLv3_method(void); /* SSLv3 */ const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */ const SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */ +#endif const SSL_METHOD *SSLv23_method(void); /* SSLv3 but can rollback to v2 */ const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback to v2 */ diff --git a/ssl/ssltest.c b/ssl/ssltest.c index 406a80103d..9867504454 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -701,7 +701,7 @@ static void sv_usage(void) #ifndef OPENSSL_NO_SSL2 fprintf(stderr," -ssl2 - use SSLv2\n"); #endif -#ifndef OPENSSL_NO_SSL3 +#ifndef OPENSSL_NO_SSL3_METHOD fprintf(stderr," -ssl3 - use SSLv3\n"); #endif #ifndef OPENSSL_NO_TLS1 @@ -1039,7 +1039,7 @@ int main(int argc, char *argv[]) } else if (strcmp(*argv,"-ssl3") == 0) { -#ifdef OPENSSL_NO_SSL3 +#ifdef OPENSSL_NO_SSL3_METHOD no_protocol = 1; #endif ssl3 = 1; |