[openssl] master update

kaduk at mit.edu kaduk at mit.edu
Thu Aug 13 01:05:35 UTC 2020 

The branch master has been updated
       via  dd0164e7565bb14fac193aea4c2c37714bf66d56 (commit)
      from  eeccc237239d6f2b6fbc557be7062bfe2ab836be (commit)


- Log -----------------------------------------------------------------
commit dd0164e7565bb14fac193aea4c2c37714bf66d56
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date:   Wed Sep 19 21:14:04 2018 -0500

    Mark SSL_CTX_set_ssl_version() as deprecated in 3.0
    
    Also, document its unusual semantics of resetting the
    cipher list (but preserving other configuration).
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/7274)

-----------------------------------------------------------------------

Summary of changes:
 doc/man3/SSL_CTX_set_ssl_version.pod | 17 ++++++++++++++---
 include/openssl/ssl.h                |  2 +-
 ssl/ssl_lib.c                        |  2 ++
 util/libssl.num                      |  2 +-
 4 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/doc/man3/SSL_CTX_set_ssl_version.pod b/doc/man3/SSL_CTX_set_ssl_version.pod
index b41073112b..20efe0fbf7 100644
--- a/doc/man3/SSL_CTX_set_ssl_version.pod
+++ b/doc/man3/SSL_CTX_set_ssl_version.pod
@@ -16,9 +16,11 @@ SSL_CTX_set_ssl_version, SSL_set_ssl_method, SSL_get_ssl_method
 =head1 DESCRIPTION
 
 SSL_CTX_set_ssl_version() sets a new default TLS/SSL B<method> for SSL objects
-newly created from this B<ctx>. SSL objects already created with
-L<SSL_new(3)> are not affected, except when
-L<SSL_clear(3)> is being called.
+newly created from this B<ctx>.  Most of the configuration attached to the
+SSL_CTX object is retained, with the exception of the configured TLS ciphers,
+which are reset to the default values.  SSL objects already created from this
+SSL_CTX with L<SSL_new(3)> are not affected, except when L<SSL_clear(3)> is
+being called, as described below.
 
 SSL_set_ssl_method() sets a new TLS/SSL B<method> for a particular B<ssl>
 object. It may be reset, when SSL_clear() is called.
@@ -35,6 +37,11 @@ When L<SSL_clear(3)> is called and no session is connected to
 an SSL object, the method of the SSL object is reset to the method currently
 set in the corresponding SSL_CTX object.
 
+SSL_CTX_set_version() has unusual semantics and no clear use case;
+it would usually be preferable to create a new SSL_CTX object than to
+try to reuse an existing one in this fashion.  Its usage is considered
+deprecated.
+
 =head1 RETURN VALUES
 
 The following return values can occur for SSL_CTX_set_ssl_version()
@@ -58,6 +65,10 @@ L<SSL_CTX_new(3)>, L<SSL_new(3)>,
 L<SSL_clear(3)>, L<ssl(7)>,
 L<SSL_set_connect_state(3)>
 
+=head1 HISTORY
+
+SSL_CTX_set_ssl_version() was deprecated in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
 Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index bc003bc4fa..0b17f22193 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1903,7 +1903,7 @@ __owur int SSL_get_error(const SSL *s, int ret_code);
 __owur const char *SSL_get_version(const SSL *s);
 
 /* This sets the 'default' SSL version that SSL_new() will create */
-__owur int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
+DEPRECATEDIN_3_0(__owur int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth))
 
 # ifndef OPENSSL_NO_SSL3_METHOD
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *SSLv3_method(void)) /* SSLv3 */
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 63a7433be4..f957664a48 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -642,6 +642,7 @@ int SSL_clear(SSL *s)
     return 1;
 }
 
+#ifndef OPENSSL_NO_DEPRECATED_3_0
 /** Used to change an SSL_CTXs default SSL method type */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
 {
@@ -664,6 +665,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
     }
     return 1;
 }
+#endif
 
 SSL *SSL_new(SSL_CTX *ctx)
 {
diff --git a/util/libssl.num b/util/libssl.num
index 1758525038..45ff6ed00a 100644
--- a/util/libssl.num
+++ b/util/libssl.num
@@ -239,7 +239,7 @@ DTLSv1_method                           239	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_1
 SSL_set0_wbio                           240	3_0_0	EXIST::FUNCTION:
 SSL_read                                241	3_0_0	EXIST::FUNCTION:
 SSL_CTX_get_options                     242	3_0_0	EXIST::FUNCTION:
-SSL_CTX_set_ssl_version                 243	3_0_0	EXIST::FUNCTION:
+SSL_CTX_set_ssl_version                 243	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 SSL_set_SSL_CTX                         244	3_0_0	EXIST::FUNCTION:
 SSL_renegotiate_abbreviated             245	3_0_0	EXIST::FUNCTION:
 SSL_get_verify_mode                     246	3_0_0	EXIST::FUNCTION:

More information about the openssl-commits mailing list