[openssl] master update
kaduk at mit.edu
kaduk at mit.edu
Wed May 5 16:03:25 UTC 2021
The branch master has been updated
via 6c0ac9b99f2b7278a5ec60ef0c29c71e9eb4f40d (commit)
via cbbbc8fce41cc162c75d1e5bd1053b6085cb3b47 (commit)
via 72d2670bd21becfa6a64bb03fa55ad82d6d0c0f3 (commit)
from 8369592d35da7d321b8d2f4b5591acd72481111a (commit)
- Log -----------------------------------------------------------------
commit 6c0ac9b99f2b7278a5ec60ef0c29c71e9eb4f40d
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date: Mon May 3 13:23:53 2021 -0700
adapt tests to SSL_OP_LEGACY_SERVER_CONNECT change
The "bad DTLS" tests run into trouble due to the special behavior
for that "bad" version, and the SSL record tests need to set the
-legacy_server_connect flag to allow an SSLv2 ClientHello to work
against any TLS server (since SSLv2 ClientHello messages cannot
carry extensions as would be needed in order to negotiate the use
of the renegitiation_info extension).
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15127)
commit cbbbc8fce41cc162c75d1e5bd1053b6085cb3b47
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date: Mon May 3 13:43:55 2021 -0700
Correct ssl_conf logic for "legacy_server_connect"
This option is only useful for the client, but it was previously
marked as only being applicable for servers.
Correct the entry to properly mark it as client-only, and update the
s_server/s_client manuals accordingly.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15127)
commit 72d2670bd21becfa6a64bb03fa55ad82d6d0c0f3
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date: Mon May 3 12:16:19 2021 -0700
Enforce secure renegotiation support by default
Previously we would set SSL_OP_LEGACY_SERVER_CONNECT by default in
SSL_CTX_new(), to allow connections to legacy servers that did not
implement RFC 5746.
It has been more than a decade since RFC 5746 was published, so
there has been plenty of time for implmentation support to roll out.
Change the default behavior to be to require peers to support
secure renegotiation. Existing applications that already cleared
SSL_OP_LEGACY_SERVER_CONNECT will see no behavior change, as
re-clearing the flag is just a little bit of redundant work.
The old behavior is still available by explicitly setting the flag
in the application.
Also remove SSL_OP_LEGACY_SERVER_CONNECT from SSL_OP_ALL, for
similar reasons.
Document the behavior change in CHANGES.md, and update the
SSL_CTX_set_options() and SSL_CONF_cmd manuals to reflect the change
in default behavior.
Fixes: 14848
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15127)
-----------------------------------------------------------------------
Summary of changes:
CHANGES.md | 8 ++++++++
doc/man1/openssl-s_client.pod.in | 1 +
doc/man1/openssl-s_server.pod.in | 1 -
doc/man3/SSL_CONF_cmd.pod | 1 -
doc/man3/SSL_CTX_set_options.pod | 19 ++++++-------------
include/openssl/ssl.h.in | 1 -
ssl/ssl_conf.c | 2 +-
ssl/ssl_lib.c | 5 -----
test/bad_dtls_test.c | 2 ++
test/recipes/70-test_sslrecords.t | 2 +-
10 files changed, 19 insertions(+), 23 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index 7b6c7c5ffb..6e89f9814c 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -82,6 +82,14 @@ OpenSSL 3.0
*Boris Pismenny, John Baldwin and Andrew Gallatin*
+ * Support for RFC 5746 secure renegotiation is now required by default for
+ SSL or TLS connections to succeed. Applications that require the ability
+ to connect to legacy peers will need to explicitly set
+ SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT
+ is no longer set as part of SSL_OP_ALL.
+
+ *Benjamin Kaduk*
+
* The signature of the `copy` functional parameter of the
EVP_PKEY_meth_set_copy() function has changed so its `src` argument is
now `const EVP_PKEY_CTX *` instead of `EVP_PKEY_CTX *`. Similarly
diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in
index 6d6ba81384..e11df7a9ae 100644
--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@@ -83,6 +83,7 @@ B<openssl> B<s_client>
[B<-comp>]
[B<-no_comp>]
[B<-brief>]
+[B<-legacy_server_connect>]
[B<-allow_no_dhe_kex>]
[B<-sigalgs> I<sigalglist>]
[B<-curves> I<curvelist>]
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index 243ab8b3e0..fa4190a869 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -94,7 +94,6 @@ B<openssl> B<s_server>
[B<-serverpref>]
[B<-legacy_renegotiation>]
[B<-no_renegotiation>]
-[B<-legacy_server_connect>]
[B<-no_resumption_on_reneg>]
[B<-no_legacy_server_connect>]
[B<-allow_no_dhe_kex>]
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index 125164e4c8..8da8f7f060 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -76,7 +76,6 @@ set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers.
permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>.
-Set by default.
=item B<-prioritize_chacha>
diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod
index 1bc5894127..e84aaac8a8 100644
--- a/doc/man3/SSL_CTX_set_options.pod
+++ b/doc/man3/SSL_CTX_set_options.pod
@@ -88,8 +88,7 @@ implementations.
=item SSL_OP_ALL
-All of the above bug workarounds plus B<SSL_OP_LEGACY_SERVER_CONNECT> as
-mentioned below.
+All of the above bug workarounds.
=back
@@ -193,8 +192,7 @@ servers. See the B<SECURE RENEGOTIATION> section for more details.
=item SSL_OP_LEGACY_SERVER_CONNECT
Allow legacy insecure renegotiation between OpenSSL and unpatched servers
-B<only>: this option is currently set by default. See the
-B<SECURE RENEGOTIATION> section for more details.
+B<only>. See the B<SECURE RENEGOTIATION> section for more details.
=item SSL_OP_NO_ENCRYPT_THEN_MAC
@@ -378,15 +376,10 @@ and renegotiation between patched OpenSSL clients and unpatched servers
succeeds. If neither option is set then initial connections to unpatched
servers will fail.
-The option B<SSL_OP_LEGACY_SERVER_CONNECT> is currently set by default even
-though it has security implications: otherwise it would be impossible to
-connect to unpatched servers (i.e. all of them initially) and this is clearly
-not acceptable. Renegotiation is permitted because this does not add any
-additional security issues: during an attack clients do not see any
-renegotiations anyway.
-
-As more servers become patched the option B<SSL_OP_LEGACY_SERVER_CONNECT> will
-B<not> be set by default in a future version of OpenSSL.
+Setting the option B<SSL_OP_LEGACY_SERVER_CONNECT> has security implications;
+clients that are willing to connect to servers that do not implement
+RFC 5746 secure renegotiation are subject to attacks such as
+CVE-2009-3555.
OpenSSL client applications wishing to ensure they can connect to unpatched
servers should always B<set> B<SSL_OP_LEGACY_SERVER_CONNECT>
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index d607d8d02f..d03fff6be5 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -425,7 +425,6 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
*/
# define SSL_OP_ALL (SSL_OP_CRYPTOPRO_TLSEXT_BUG|\
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS|\
- SSL_OP_LEGACY_SERVER_CONNECT|\
SSL_OP_TLSEXT_PADDING|\
SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 4e71a9cf64..1f288b5e06 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -684,7 +684,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
SSL_CONF_CMD_SWITCH("no_ticket", 0),
SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0),
- SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_SERVER),
+ SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_CLIENT),
SSL_CONF_CMD_SWITCH("no_renegotiation", 0),
SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER),
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 27a5ec4581..c9b49279c5 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3310,11 +3310,6 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
}
# endif
#endif
- /*
- * Default is to connect to non-RI servers. When RI is more widely
- * deployed might change this.
- */
- ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
/*
* Disable compression by default to prevent CRIME. Applications can
* re-enable compression by configuring
diff --git a/test/bad_dtls_test.c b/test/bad_dtls_test.c
index 48cf45bae6..a67db1737e 100644
--- a/test/bad_dtls_test.c
+++ b/test/bad_dtls_test.c
@@ -494,6 +494,8 @@ static int test_bad_dtls(void)
if (!TEST_ptr(ctx)
|| !TEST_true(SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER))
|| !TEST_true(SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER))
+ || !TEST_true(SSL_CTX_set_options(ctx,
+ SSL_OP_LEGACY_SERVER_CONNECT))
|| !TEST_true(SSL_CTX_set_cipher_list(ctx, "AES128-SHA")))
goto end;
diff --git a/test/recipes/70-test_sslrecords.t b/test/recipes/70-test_sslrecords.t
index 729a41856d..318c9235b0 100644
--- a/test/recipes/70-test_sslrecords.t
+++ b/test/recipes/70-test_sslrecords.t
@@ -96,7 +96,7 @@ my $sslv2testtype = TLSV1_2_IN_SSLV2;
$proxy->clear();
$proxy->filter(\&add_sslv2_filter);
$proxy->serverflags("-tls1_2");
-$proxy->clientflags("-no_tls1_3");
+$proxy->clientflags("-no_tls1_3 -legacy_renegotiation");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test");
More information about the openssl-commits
mailing list