File OpenSSL-SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG... of Package curl

Overview Repositories Revisions Requests Users Attributes Meta

File OpenSSL-SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG-opti.patch of Package curl

--- lib/ssluse.c.orig	2012-02-16 16:37:03.792689386 +0100
+++ lib/ssluse.c	2012-02-16 16:45:56.936714533 +0100
@@ -1317,6 +1317,7 @@
   X509_LOOKUP *lookup=NULL;
   curl_socket_t sockfd = conn->sock[sockindex];
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+  long ctx_options;
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
 #ifdef ENABLE_IPV6
   struct in6_addr addr;
@@ -1379,12 +1380,33 @@
      enable the bug workaround options if compatibility with somewhat broken
      implementations is desired."
 
-  */
-  SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL);
-
-  /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
-  if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
-    SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2);
+      SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed proper
+      interoperability with web server Netscape Enterprise Server 2.0.1 which
+      was released back in 1996.
+ 
+      Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has
+      become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
+      CVE-2010-4180 when using previous OpenSSL versions we no longer enable
+      this option regardless of OpenSSL version and SSL_OP_ALL definition.
+    */
+ 
+   ctx_options = SSL_OP_ALL;
+ 
+  #ifdef SSL_OP_NO_TICKET
+   ctx_options |= SSL_OP_NO_TICKET;
+  #endif
+  
+ #if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && \
+   (SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG == 0x00000008L)
+   /* mitigate CVE-2010-4180 */
+   ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
+ #endif
+  
+    /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
+    if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
+     ctx_options |= SSL_OP_NO_SSLv2;
+ 
+   SSL_CTX_set_options(connssl->ctx, ctx_options);
 
 #if 0
   /*

Places

File OpenSSL-SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG-opti.patch of Package curl

Places