[openssl-dev] [PATCH] Add support for minimum and maximum protocol version supported by a cipher
David Woodhouse
dwmw2 at infradead.org
Fri Jul 8 16:43:21 UTC 2016
On Sun, 2016-02-07 at 20:17 +0100, Kurt Roeckx wrote:
> Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
>
> MR: #1595
> ---
> ssl/s3_lib.c | 534 +++++++++++++++++++++++++++++++----------------
> ssl/ssl_ciph.c | 196 +++++++++--------
> ssl/ssl_lib.c | 4 +-
> ssl/ssl_locl.h | 21 +-
> ssl/ssl_txt.c | 2 +-
> ssl/statem/statem_clnt.c | 18 +-
> ssl/statem/statem_lib.c | 6 +-
> ssl/t1_lib.c | 41 ++--
> 8 files changed, 504 insertions(+), 318 deletions(-)
>
> diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
> index 51fb161..093ff09 100644
> --- a/ssl/s3_lib.c
> +++ b/ssl/s3_lib.c
> @@ -171,7 +171,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
> SSL_aRSA,
> SSL_eNULL,
> SSL_MD5,
> - SSL_SSLV3,
> + SSL3_VERSION, TLS1_2_VERSION,
> + DTLS1_VERSION, DTLS1_2_VERSION,
This broke the OpenConnect VPN client, which now fails thus:
DTLS handshake failed: 1
67609664:error:141640B5:SSL routines:tls_construct_client_hello:no ciphers available:ssl/statem/statem_clnt.c:927:
I tried the naïvely obvious step of changing all instances of
DTLS1_VERSION as the minimum, to DTLS1_BAD_VER. That didn't help.
Having said that, reverting this change isn't *sufficient* to fix
OpenSSL 1.1; it still fails with
DTLS handshake failed: 1
67609664:error:14160098:SSL routines:read_state_machine:excessive message size:ssl/statem/statem.c:586:
... which goes back to before 1.1.0-pre1. I'll find that one later...
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160708/c0d03807/attachment.bin>
More information about the openssl-dev
mailing list