[openssl] master update

kaduk at mit.edu kaduk at mit.edu
Wed May 5 16:03:25 UTC 2021

The branch master has been updated
       via  6c0ac9b99f2b7278a5ec60ef0c29c71e9eb4f40d (commit)
       via  cbbbc8fce41cc162c75d1e5bd1053b6085cb3b47 (commit)
       via  72d2670bd21becfa6a64bb03fa55ad82d6d0c0f3 (commit)
      from  8369592d35da7d321b8d2f4b5591acd72481111a (commit)

- Log -----------------------------------------------------------------
commit 6c0ac9b99f2b7278a5ec60ef0c29c71e9eb4f40d
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date:   Mon May 3 13:23:53 2021 -0700

    adapt tests to SSL_OP_LEGACY_SERVER_CONNECT change
    The "bad DTLS" tests run into trouble due to the special behavior
    for that "bad" version, and the SSL record tests need to set the
    -legacy_server_connect flag to allow an SSLv2 ClientHello to work
    against any TLS server (since SSLv2 ClientHello messages cannot
    carry extensions as would be needed in order to negotiate the use
    of the renegitiation_info extension).
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15127)

commit cbbbc8fce41cc162c75d1e5bd1053b6085cb3b47
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date:   Mon May 3 13:43:55 2021 -0700

    Correct ssl_conf logic for "legacy_server_connect"
    This option is only useful for the client, but it was previously
    marked as only being applicable for servers.
    Correct the entry to properly mark it as client-only, and update the
    s_server/s_client manuals accordingly.
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15127)

commit 72d2670bd21becfa6a64bb03fa55ad82d6d0c0f3
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date:   Mon May 3 12:16:19 2021 -0700

    Enforce secure renegotiation support by default
    Previously we would set SSL_OP_LEGACY_SERVER_CONNECT by default in
    SSL_CTX_new(), to allow connections to legacy servers that did not
    implement RFC 5746.
    It has been more than a decade since RFC 5746 was published, so
    there has been plenty of time for implmentation support to roll out.
    Change the default behavior to be to require peers to support
    secure renegotiation.  Existing applications that already cleared
    SSL_OP_LEGACY_SERVER_CONNECT will see no behavior change, as
    re-clearing the flag is just a little bit of redundant work.
    The old behavior is still available by explicitly setting the flag
    in the application.
    similar reasons.
    Document the behavior change in CHANGES.md, and update the
    SSL_CTX_set_options() and SSL_CONF_cmd manuals to reflect the change
    in default behavior.
    Fixes: 14848
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15127)


Summary of changes:
 CHANGES.md                        |  8 ++++++++
 doc/man1/openssl-s_client.pod.in  |  1 +
 doc/man1/openssl-s_server.pod.in  |  1 -
 doc/man3/SSL_CONF_cmd.pod         |  1 -
 doc/man3/SSL_CTX_set_options.pod  | 19 ++++++-------------
 include/openssl/ssl.h.in          |  1 -
 ssl/ssl_conf.c                    |  2 +-
 ssl/ssl_lib.c                     |  5 -----
 test/bad_dtls_test.c              |  2 ++
 test/recipes/70-test_sslrecords.t |  2 +-
 10 files changed, 19 insertions(+), 23 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index 7b6c7c5ffb..6e89f9814c 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -82,6 +82,14 @@ OpenSSL 3.0
    *Boris Pismenny, John Baldwin and Andrew Gallatin*
+ * Support for RFC 5746 secure renegotiation is now required by default for
+   SSL or TLS connections to succeed.  Applications that require the ability
+   to connect to legacy peers will need to explicitly set
+   is no longer set as part of SSL_OP_ALL.
+   *Benjamin Kaduk*
  * The signature of the `copy` functional parameter of the
    EVP_PKEY_meth_set_copy() function has changed so its `src` argument is
    now `const EVP_PKEY_CTX *` instead of `EVP_PKEY_CTX *`. Similarly
diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in
index 6d6ba81384..e11df7a9ae 100644
--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@@ -83,6 +83,7 @@ B<openssl> B<s_client>
 [B<-sigalgs> I<sigalglist>]
 [B<-curves> I<curvelist>]
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index 243ab8b3e0..fa4190a869 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -94,7 +94,6 @@ B<openssl> B<s_server>
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index 125164e4c8..8da8f7f060 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -76,7 +76,6 @@ set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers.
 permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
 clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>.
-Set by default.
 =item B<-prioritize_chacha>
diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod
index 1bc5894127..e84aaac8a8 100644
--- a/doc/man3/SSL_CTX_set_options.pod
+++ b/doc/man3/SSL_CTX_set_options.pod
@@ -88,8 +88,7 @@ implementations.
 =item SSL_OP_ALL
-All of the above bug workarounds plus B<SSL_OP_LEGACY_SERVER_CONNECT> as
-mentioned below.
+All of the above bug workarounds.
@@ -193,8 +192,7 @@ servers. See the B<SECURE RENEGOTIATION> section for more details.
 Allow legacy insecure renegotiation between OpenSSL and unpatched servers
-B<only>: this option is currently set by default. See the
-B<SECURE RENEGOTIATION> section for more details.
+B<only>. See the B<SECURE RENEGOTIATION> section for more details.
@@ -378,15 +376,10 @@ and renegotiation between patched OpenSSL clients and unpatched servers
 succeeds. If neither option is set then initial connections to unpatched
 servers will fail.
-The option B<SSL_OP_LEGACY_SERVER_CONNECT> is currently set by default even
-though it has security implications: otherwise it would be impossible to
-connect to unpatched servers (i.e. all of them initially) and this is clearly
-not acceptable. Renegotiation is permitted because this does not add any
-additional security issues: during an attack clients do not see any
-renegotiations anyway.
-As more servers become patched the option B<SSL_OP_LEGACY_SERVER_CONNECT> will
-B<not> be set by default in a future version of OpenSSL.
+Setting the option B<SSL_OP_LEGACY_SERVER_CONNECT> has security implications;
+clients that are willing to connect to servers that do not implement
+RFC 5746 secure renegotiation are subject to attacks such as
 OpenSSL client applications wishing to ensure they can connect to unpatched
 servers should always B<set> B<SSL_OP_LEGACY_SERVER_CONNECT>
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index d607d8d02f..d03fff6be5 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -425,7 +425,6 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
-                            SSL_OP_LEGACY_SERVER_CONNECT|\
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 4e71a9cf64..1f288b5e06 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -684,7 +684,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
     SSL_CONF_CMD_SWITCH("no_ticket", 0),
     SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0),
-    SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_SERVER),
+    SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_CLIENT),
     SSL_CONF_CMD_SWITCH("no_renegotiation", 0),
     SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER),
     SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER),
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 27a5ec4581..c9b49279c5 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3310,11 +3310,6 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
 # endif
-    /*
-     * Default is to connect to non-RI servers. When RI is more widely
-     * deployed might change this.
-     */
-    ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
      * Disable compression by default to prevent CRIME. Applications can
      * re-enable compression by configuring
diff --git a/test/bad_dtls_test.c b/test/bad_dtls_test.c
index 48cf45bae6..a67db1737e 100644
--- a/test/bad_dtls_test.c
+++ b/test/bad_dtls_test.c
@@ -494,6 +494,8 @@ static int test_bad_dtls(void)
     if (!TEST_ptr(ctx)
             || !TEST_true(SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER))
             || !TEST_true(SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER))
+            || !TEST_true(SSL_CTX_set_options(ctx,
+                                              SSL_OP_LEGACY_SERVER_CONNECT))
             || !TEST_true(SSL_CTX_set_cipher_list(ctx, "AES128-SHA")))
         goto end;
diff --git a/test/recipes/70-test_sslrecords.t b/test/recipes/70-test_sslrecords.t
index 729a41856d..318c9235b0 100644
--- a/test/recipes/70-test_sslrecords.t
+++ b/test/recipes/70-test_sslrecords.t
@@ -96,7 +96,7 @@ my $sslv2testtype = TLSV1_2_IN_SSLV2;
+$proxy->clientflags("-no_tls1_3 -legacy_renegotiation");
 ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test");

More information about the openssl-commits mailing list