diff options
-rw-r--r-- | CHANGES.md | 8 | ||||
-rw-r--r-- | doc/man3/SSL_CONF_cmd.pod | 1 | ||||
-rw-r--r-- | doc/man3/SSL_CTX_set_options.pod | 19 | ||||
-rw-r--r-- | include/openssl/ssl.h.in | 1 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 5 |
5 files changed, 14 insertions, 20 deletions
diff --git a/CHANGES.md b/CHANGES.md index 7b6c7c5ffb..6e89f9814c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -82,6 +82,14 @@ OpenSSL 3.0 *Boris Pismenny, John Baldwin and Andrew Gallatin* + * Support for RFC 5746 secure renegotiation is now required by default for + SSL or TLS connections to succeed. Applications that require the ability + to connect to legacy peers will need to explicitly set + SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT + is no longer set as part of SSL_OP_ALL. + + *Benjamin Kaduk* + * The signature of the `copy` functional parameter of the EVP_PKEY_meth_set_copy() function has changed so its `src` argument is now `const EVP_PKEY_CTX *` instead of `EVP_PKEY_CTX *`. Similarly diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index 125164e4c8..8da8f7f060 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -76,7 +76,6 @@ set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers. permits or prohibits the use of unsafe legacy renegotiation for OpenSSL clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>. -Set by default. =item B<-prioritize_chacha> diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod index 1bc5894127..e84aaac8a8 100644 --- a/doc/man3/SSL_CTX_set_options.pod +++ b/doc/man3/SSL_CTX_set_options.pod @@ -88,8 +88,7 @@ implementations. =item SSL_OP_ALL -All of the above bug workarounds plus B<SSL_OP_LEGACY_SERVER_CONNECT> as -mentioned below. +All of the above bug workarounds. =back @@ -193,8 +192,7 @@ servers. See the B<SECURE RENEGOTIATION> section for more details. =item SSL_OP_LEGACY_SERVER_CONNECT Allow legacy insecure renegotiation between OpenSSL and unpatched servers -B<only>: this option is currently set by default. See the -B<SECURE RENEGOTIATION> section for more details. +B<only>. See the B<SECURE RENEGOTIATION> section for more details. =item SSL_OP_NO_ENCRYPT_THEN_MAC @@ -378,15 +376,10 @@ and renegotiation between patched OpenSSL clients and unpatched servers succeeds. If neither option is set then initial connections to unpatched servers will fail. -The option B<SSL_OP_LEGACY_SERVER_CONNECT> is currently set by default even -though it has security implications: otherwise it would be impossible to -connect to unpatched servers (i.e. all of them initially) and this is clearly -not acceptable. Renegotiation is permitted because this does not add any -additional security issues: during an attack clients do not see any -renegotiations anyway. - -As more servers become patched the option B<SSL_OP_LEGACY_SERVER_CONNECT> will -B<not> be set by default in a future version of OpenSSL. +Setting the option B<SSL_OP_LEGACY_SERVER_CONNECT> has security implications; +clients that are willing to connect to servers that do not implement +RFC 5746 secure renegotiation are subject to attacks such as +CVE-2009-3555. OpenSSL client applications wishing to ensure they can connect to unpatched servers should always B<set> B<SSL_OP_LEGACY_SERVER_CONNECT> diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index d607d8d02f..d03fff6be5 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -425,7 +425,6 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); */ # define SSL_OP_ALL (SSL_OP_CRYPTOPRO_TLSEXT_BUG|\ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS|\ - SSL_OP_LEGACY_SERVER_CONNECT|\ SSL_OP_TLSEXT_PADDING|\ SSL_OP_SAFARI_ECDHE_ECDSA_BUG) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 27a5ec4581..c9b49279c5 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3311,11 +3311,6 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, # endif #endif /* - * Default is to connect to non-RI servers. When RI is more widely - * deployed might change this. - */ - ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; - /* * Disable compression by default to prevent CRIME. Applications can * re-enable compression by configuring * SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION); |