Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1:Test
curl
OpenSSL-SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File OpenSSL-SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG-opti.patch of Package curl
--- lib/ssluse.c.orig 2012-02-16 16:37:03.792689386 +0100 +++ lib/ssluse.c 2012-02-16 16:45:56.936714533 +0100 @@ -1317,6 +1317,7 @@ X509_LOOKUP *lookup=NULL; curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + long ctx_options; #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #ifdef ENABLE_IPV6 struct in6_addr addr; @@ -1379,12 +1380,33 @@ enable the bug workaround options if compatibility with somewhat broken implementations is desired." - */ - SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL); - - /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ - if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) - SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2); + SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed proper + interoperability with web server Netscape Enterprise Server 2.0.1 which + was released back in 1996. + + Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has + become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate + CVE-2010-4180 when using previous OpenSSL versions we no longer enable + this option regardless of OpenSSL version and SSL_OP_ALL definition. + */ + + ctx_options = SSL_OP_ALL; + + #ifdef SSL_OP_NO_TICKET + ctx_options |= SSL_OP_NO_TICKET; + #endif + + #if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && \ + (SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG == 0x00000008L) + /* mitigate CVE-2010-4180 */ + ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; + #endif + + /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ + if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) + ctx_options |= SSL_OP_NO_SSLv2; + + SSL_CTX_set_options(connssl->ctx, ctx_options); #if 0 /*
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor