[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Fri Feb 6 11:38:08 UTC 2015
The branch master has been updated
via 3c33c6f6b10864355553961e638514a6d1bb00f6 (commit)
from ae632974f905c59176fa5f312826f8f692890b67 (commit)
- Log -----------------------------------------------------------------
commit 3c33c6f6b10864355553961e638514a6d1bb00f6
Author: Matt Caswell <matt at openssl.org>
Date: Thu Feb 5 15:57:54 2015 +0000
Remove support for SSL_OP_NETSCAPE_CA_DN_BUG.
This is an ancient bug workaround for Netscape clients. The documentation
talks about versions 3.x and 4.x beta.
Reviewed-by: Tim Hudson <tjh at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
doc/ssl/SSL_CTX_set_options.pod | 5 -----
ssl/s3_clnt.c | 18 +++---------------
ssl/s3_srvr.c | 18 ++++--------------
ssl/ssl.h | 3 ++-
4 files changed, 9 insertions(+), 35 deletions(-)
diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
index 593435c..dc3d4f1 100644
--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
@@ -169,11 +169,6 @@ will send its list of preferences to the client and the client chooses.
...
-=item SSL_OP_NETSCAPE_CA_DN_BUG
-
-If we accept a netscape connection, demand a client cert, have a
-non-self-signed CA which does not have its CA in netscape, and the
-browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta
=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 5e2b543..4d7d05b 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2109,8 +2109,6 @@ int ssl3_get_certificate_request(SSL *s)
for (nc = 0; nc < llen;) {
n2s(p, l);
if ((l + nc + 2) > llen) {
- if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
- goto cont; /* netscape bugs */
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
goto err;
@@ -2119,14 +2117,9 @@ int ssl3_get_certificate_request(SSL *s)
q = p;
if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) {
- /* If netscape tolerance is on, ignore errors */
- if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
- goto cont;
- else {
- ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
- goto err;
- }
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+ SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
+ goto err;
}
if (q != (p + l)) {
@@ -2144,11 +2137,6 @@ int ssl3_get_certificate_request(SSL *s)
nc += l + 2;
}
- if (0) {
- cont:
- ERR_clear_error();
- }
-
/* we should setup a certificate to return.... */
s->s3->tmp.cert_req = 1;
s->s3->tmp.ctype_num = ctype_num;
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index f31b76a..8819fed 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2056,20 +2056,10 @@ int ssl3_send_certificate_request(SSL *s)
goto err;
}
p = ssl_handshake_start(s) + n;
- if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) {
- s2n(j, p);
- i2d_X509_NAME(name, &p);
- n += 2 + j;
- nl += 2 + j;
- } else {
- d = p;
- i2d_X509_NAME(name, &p);
- j -= 2;
- s2n(j, d);
- j += 2;
- n += j;
- nl += j;
- }
+ s2n(j, p);
+ i2d_X509_NAME(name, &p);
+ n += 2 + j;
+ nl += 2 + j;
}
}
/* else no CA names */
diff --git a/ssl/ssl.h b/ssl/ssl.h
index a3b8a81..8eed2ca 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -478,7 +478,8 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,
# define SSL_OP_PKCS1_CHECK_1 0x0
# define SSL_OP_PKCS1_CHECK_2 0x0
-# define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L
+/* Removed as of OpenSSL 1.1.0 */
+# define SSL_OP_NETSCAPE_CA_DN_BUG 0x0
# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
/*
* Make server add server-hello extension from early version of cryptopro
More information about the openssl-commits
mailing list