[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Sat Nov 14 00:11:59 UTC 2015
The branch master has been updated
via bf24ac9b54170c9060079c3f7a040162361c8e5e (commit)
via 96509199154827213a2c4c134948dd8eceea15de (commit)
via 2a802c8029eaed7a2615159a8613b7f1de6cb10a (commit)
via 60a25abdabfa3ba183c2cfc2a66bc5f98bc7faf9 (commit)
via 2b573382f8e54aa03a1d8ffd48fa9d0a04609184 (commit)
via 5e3d21fef150f020e2d33439401da8f7e311aa24 (commit)
from cfb4f1efbae561e7b70bf97fc8973b2aa084cb14 (commit)
- Log -----------------------------------------------------------------
commit bf24ac9b54170c9060079c3f7a040162361c8e5e
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Nov 13 23:34:29 2015 +0000
Update and clarify ciphers documentation.
Reviewed-by: Matt Caswell <matt at openssl.org>
commit 96509199154827213a2c4c134948dd8eceea15de
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Nov 13 14:57:55 2015 +0000
add -psk option to ciphers command
Reviewed-by: Matt Caswell <matt at openssl.org>
commit 2a802c8029eaed7a2615159a8613b7f1de6cb10a
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Nov 13 14:19:59 2015 +0000
add -tls1_2,-tls1_1 options to ciphers command
Reviewed-by: Matt Caswell <matt at openssl.org>
commit 60a25abdabfa3ba183c2cfc2a66bc5f98bc7faf9
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Nov 13 14:43:27 2015 +0000
Add "TLSv1.0" cipher alias.
This adds a TLSv1.0 cipher alias for ciphersuites requiring
at least TLSv1.0: currently only PSK ciphersuites using SHA256
or SHA384 MAC (SSLv3 only supports SHA1 and MD5 MAC).
Reviewed-by: Matt Caswell <matt at openssl.org>
commit 2b573382f8e54aa03a1d8ffd48fa9d0a04609184
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Nov 13 14:37:24 2015 +0000
Don't alow TLS v1.0 ciphersuites for SSLv3
This disables some ciphersuites which aren't supported in SSL v3:
specifically PSK ciphersuites which use SHA256 or SHA384 for the MAC.
Thanks to the Open Crypto Audit Project for identifying this issue.
Reviewed-by: Matt Caswell <matt at openssl.org>
commit 5e3d21fef150f020e2d33439401da8f7e311aa24
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Nov 13 12:52:51 2015 +0000
Use SSL_TLSV1 only if at least TLS v1.0 is needed.
Reviewed-by: Matt Caswell <matt at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
apps/ciphers.c | 34 +++++++++
doc/apps/ciphers.pod | 31 +++++++--
ssl/s3_lib.c | 175 ++++++++++++++++++++++++-----------------------
ssl/ssl_ciph.c | 5 +-
ssl/ssl_locl.h | 4 +-
ssl/statem/statem_clnt.c | 3 +
ssl/t1_lib.c | 3 +
7 files changed, 161 insertions(+), 94 deletions(-)
diff --git a/apps/ciphers.c b/apps/ciphers.c
index bf3c204..12dca50 100644
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -67,6 +67,9 @@ typedef enum OPTION_choice {
OPT_STDNAME,
OPT_SSL3,
OPT_TLS1,
+ OPT_TLS1_1,
+ OPT_TLS1_2,
+ OPT_PSK,
OPT_V, OPT_UPPER_V, OPT_S
} OPTION_CHOICE;
@@ -76,15 +79,28 @@ OPTIONS ciphers_options[] = {
{"V", OPT_UPPER_V, '-', "Even more verbose"},
{"s", OPT_S, '-', "Only supported ciphers"},
{"tls1", OPT_TLS1, '-', "TLS1 mode"},
+ {"tls1_1", OPT_TLS1_1, '-', "TLS1.1 mode"},
+ {"tls1_2", OPT_TLS1_2, '-', "TLS1.2 mode"},
#ifndef OPENSSL_NO_SSL_TRACE
{"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
#endif
#ifndef OPENSSL_NO_SSL3
{"ssl3", OPT_SSL3, '-', "SSL3 mode"},
#endif
+#ifndef OPENSSL_NO_PSK
+ {"psk", OPT_PSK, '-', "include ciphersuites requiring PSK"},
+#endif
{NULL}
};
+static unsigned int dummy_psk(SSL *ssl, const char *hint, char *identity,
+ unsigned int max_identity_len,
+ unsigned char *psk,
+ unsigned int max_psk_len)
+{
+ return 0;
+}
+
int ciphers_main(int argc, char **argv)
{
SSL_CTX *ctx = NULL;
@@ -95,6 +111,9 @@ int ciphers_main(int argc, char **argv)
#ifndef OPENSSL_NO_SSL_TRACE
int stdname = 0;
#endif
+#ifndef OPENSSL_NO_PSK
+ int psk = 0;
+#endif
const char *p;
char *ciphers = NULL, *prog;
char buf[512];
@@ -134,6 +153,17 @@ int ciphers_main(int argc, char **argv)
case OPT_TLS1:
meth = TLSv1_client_method();
break;
+ case OPT_TLS1_1:
+ meth = TLSv1_1_client_method();
+ break;
+ case OPT_TLS1_2:
+ meth = TLSv1_2_client_method();
+ break;
+ case OPT_PSK:
+#ifndef OPENSSL_NO_PSK
+ psk = 1;
+#endif
+ break;
}
}
argv = opt_rest();
@@ -147,6 +177,10 @@ int ciphers_main(int argc, char **argv)
ctx = SSL_CTX_new(meth);
if (ctx == NULL)
goto err;
+#ifndef OPENSSL_NO_PSK
+ if (psk)
+ SSL_CTX_set_psk_client_callback(ctx, dummy_psk);
+#endif
if (ciphers != NULL) {
if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
BIO_printf(bio_err, "Error in cipher list\n");
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index 389b07c..963339a 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -12,6 +12,10 @@ B<openssl> B<ciphers>
[B<-V>]
[B<-ssl3>]
[B<-tls1>]
+[B<-tls1_1>]
+[B<-tls1_2>]
+[B<-s>]
+[B<-psk>]
[B<-stdname>]
[B<cipherlist>]
@@ -31,6 +35,10 @@ Only list supported ciphers: those consistent with the security level. This
is the actual cipher list an application will support. If this option is
not used then ciphers excluded by the security level will still be listed.
+=item B<-psk>
+
+When combined with B<-s> includes cipher suites which require PSK.
+
=item B<-v>
Verbose option. List ciphers with a complete description of
@@ -44,11 +52,19 @@ Like B<-v>, but include cipher suite codes in output (hex format).
=item B<-ssl3>
-only include SSL v3 ciphers.
+List the ciphers which would be used if SSL v3 was negotiated.
=item B<-tls1>
-only include TLS v1 ciphers.
+List the ciphers which would be used if TLS v1.0 was negotiated.
+
+=item B<-tls1_1>
+
+List the ciphers which would be used if TLS v1.1 was negotiated.
+
+=item B<-tls1_2>
+
+List the ciphers which would be used if TLS v1.2 was negotiated.
=item B<-stdname>
@@ -245,10 +261,15 @@ carry ECDH keys.
cipher suites using ECDSA authentication, i.e. the certificates carry ECDSA
keys.
-=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>
+=item B<TLSv1.2>, B<TLSv1.0>, B<SSLv3>
+
+Lists ciphersuites which are only supported in at least TLS v1.2, TLS v1.0
+or SSL v3.0 respectively. Note: there are no ciphersuites specific to TLS v1.1.
+Since this is only the minimum version if, for example, TLS v1.0 is supported
+then both TLS v1.0 and SSL v3.0 ciphersuites are included.
-TLS v1.2, TLS v1.0 or SSL v3.0 cipher suites respectively. Note:
-there are no ciphersuites specific to TLS v1.1.
+Note: these cipher strings B<do not> change the negotiated version of SSL or
+TLS only the list of cipher suites.
=item B<AES128>, B<AES256>, B<AES>
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 8b12761..95cc56a 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -608,7 +608,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_eNULL,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -623,7 +623,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_eNULL,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -638,7 +638,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_eNULL,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -656,7 +656,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -671,7 +671,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDH,
SSL_AES128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -686,7 +686,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDH,
SSL_AES128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -701,7 +701,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_AES128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -716,7 +716,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -731,7 +731,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_AES128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -747,7 +747,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -762,7 +762,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDH,
SSL_AES256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -778,7 +778,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDH,
SSL_AES256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -794,7 +794,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_AES256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -810,7 +810,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -826,7 +826,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_AES256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -942,7 +942,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CAMELLIA128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -958,7 +958,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDH,
SSL_CAMELLIA128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -974,7 +974,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDH,
SSL_CAMELLIA128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -990,7 +990,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_CAMELLIA128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1006,7 +1006,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CAMELLIA128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1022,7 +1022,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_CAMELLIA128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1153,7 +1153,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aGOST01,
SSL_eGOST2814789CNT,
SSL_GOST89MAC,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
256,
@@ -1167,7 +1167,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aGOST01,
SSL_eNULL,
SSL_GOST94,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE,
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94,
0,
@@ -1186,7 +1186,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CAMELLIA256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -1201,7 +1201,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDH,
SSL_CAMELLIA256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -1217,7 +1217,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDH,
SSL_CAMELLIA256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -1233,7 +1233,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_CAMELLIA256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -1249,7 +1249,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_CAMELLIA256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -1265,7 +1265,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_CAMELLIA256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -1284,7 +1284,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_RC4,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1300,7 +1300,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_3DES,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -1316,7 +1316,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1332,7 +1332,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -1348,7 +1348,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_RC4,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1364,7 +1364,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_3DES,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -1380,7 +1380,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1396,7 +1396,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -1412,7 +1412,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_RC4,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1428,7 +1428,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_3DES,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -1444,7 +1444,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1460,7 +1460,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -1480,7 +1480,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_SEED,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1496,7 +1496,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDH,
SSL_SEED,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1512,7 +1512,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDH,
SSL_SEED,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1528,7 +1528,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_SEED,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1544,7 +1544,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_SEED,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1560,7 +1560,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_SEED,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2277,7 +2277,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDH,
SSL_eNULL,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -2293,7 +2293,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDH,
SSL_RC4,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2309,7 +2309,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDH,
SSL_3DES,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -2325,7 +2325,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDH,
SSL_AES128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2341,7 +2341,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDH,
SSL_AES256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -2357,7 +2357,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_eNULL,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -2373,7 +2373,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_RC4,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2389,7 +2389,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_3DES,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -2405,7 +2405,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_AES128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2421,7 +2421,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDSA,
SSL_AES256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -2437,7 +2437,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDH,
SSL_eNULL,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -2453,7 +2453,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDH,
SSL_RC4,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2469,7 +2469,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDH,
SSL_3DES,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -2485,7 +2485,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDH,
SSL_AES128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2501,7 +2501,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aECDH,
SSL_AES256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -2517,7 +2517,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_eNULL,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -2533,7 +2533,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_RC4,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2549,7 +2549,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_3DES,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -2565,7 +2565,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2581,7 +2581,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -2597,7 +2597,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_eNULL,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -2613,7 +2613,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_RC4,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2629,7 +2629,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_3DES,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -2645,7 +2645,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_AES128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2661,7 +2661,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aNULL,
SSL_AES256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -2679,7 +2679,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aSRP,
SSL_3DES,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -2695,7 +2695,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_3DES,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -2711,7 +2711,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_3DES,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -2727,7 +2727,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aSRP,
SSL_AES128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2743,7 +2743,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2759,7 +2759,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_AES128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2775,7 +2775,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aSRP,
SSL_AES256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -2791,7 +2791,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -2807,7 +2807,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aDSS,
SSL_AES256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -3086,7 +3086,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_RC4,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -3102,7 +3102,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_3DES,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
@@ -3118,7 +3118,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES128,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -3134,7 +3134,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_AES256,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
@@ -3182,7 +3182,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_aPSK,
SSL_eNULL,
SSL_SHA1,
- SSL_TLSV1,
+ SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
@@ -4841,6 +4841,9 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
/* Skip TLS v1.2 only ciphersuites if not supported */
if ((c->algorithm_ssl & SSL_TLSV1_2) && !SSL_USE_TLS1_2_CIPHERS(s))
continue;
+ /* Skip TLS v1.0 ciphersuites if SSLv3 */
+ if ((c->algorithm_ssl & SSL_TLSV1) && s->version == SSL3_VERSION)
+ continue;
ssl_set_masks(s, c);
mask_k = s->s3->tmp.mask_k;
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 0cecd92..580178e 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -389,7 +389,8 @@ static const SSL_CIPHER cipher_aliases[] = {
/* protocol version aliases */
{0, SSL_TXT_SSLV3, 0, 0, 0, 0, 0, SSL_SSLV3, 0, 0, 0, 0},
- {0, SSL_TXT_TLSV1, 0, 0, 0, 0, 0, SSL_TLSV1, 0, 0, 0, 0},
+ {0, SSL_TXT_TLSV1, 0, 0, 0, 0, 0, SSL_SSLV3, 0, 0, 0, 0},
+ {0, "TLSv1.0", 0, 0, 0, 0, 0, SSL_TLSV1, 0, 0, 0, 0},
{0, SSL_TXT_TLSV1_2, 0, 0, 0, 0, 0, SSL_TLSV1_2, 0, 0, 0, 0},
/* export flag */
@@ -1621,6 +1622,8 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
if (alg_ssl & SSL_SSLV3)
ver = "SSLv3";
+ else if (alg_ssl & SSL_TLSV1)
+ ver = "TLSv1.0";
else if (alg_ssl & SSL_TLSV1_2)
ver = "TLSv1.2";
else
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 03bc35c..1295b7b 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -381,8 +381,8 @@
/* Bits for algorithm_ssl (protocol version) */
# define SSL_SSLV3 0x00000002U
-# define SSL_TLSV1 SSL_SSLV3/* for now */
-# define SSL_TLSV1_2 0x00000004U
+# define SSL_TLSV1 0x00000004U
+# define SSL_TLSV1_2 0x00000008U
/* Bits for algorithm2 (handshake digests and other extra flags) */
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 73716b5..f6b95d6 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1325,6 +1325,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
s->s3->tmp.mask_ssl = SSL_TLSV1_2;
else
s->s3->tmp.mask_ssl = 0;
+ /* Skip TLS v1.0 ciphersuites if SSLv3 */
+ if ((c->algorithm_ssl & SSL_TLSV1) && s->version == SSL3_VERSION)
+ s->s3->tmp.mask_ssl |= SSL_TLSV1;
/*
* If it is a disabled cipher we didn't send it in client hello, so
* return an error.
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 943d473..ffc95d8 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1094,6 +1094,9 @@ void ssl_set_client_disabled(SSL *s)
s->s3->tmp.mask_ssl = SSL_TLSV1_2;
else
s->s3->tmp.mask_ssl = 0;
+ /* Disable TLS 1.0 ciphers if using SSL v3 */
+ if (s->client_version == SSL3_VERSION)
+ s->s3->tmp.mask_ssl |= SSL_TLSV1;
ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
/*
* Disable static DH if we don't include any appropriate signature
More information about the openssl-commits
mailing list