File openssl-CVE-2016-0800.patch of Package openssl.4634
From: Marcus Meissner <meissner@suse.com>
Date: Tue, 1 Mar 2016 22:26:36 +0100
Subject: Disable SSLv2 by default
Patch-mainline: Never, SUSE specific
References: CVE-2016-0800 bsc#968046
In order to mitigate the "DROWN" vulnerability (CVE-2016-0800), disable
SSLv2 unless environment variable OPENSSL_ALLOW_SSL2 is set. Also, the
"export" ciphers are disabled unless the OPENSSL_ALLOW_EXPORT
environment variable is set.
This is a weaker version of the upstream solution in order to allow
users to keep using SSLv2 if they declare they are willing to take the
risk.
---
ssl/ssl_ciph.c | 2 ++
ssl/ssl_lib.c | 4 ++++
2 files changed, 6 insertions(+)
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index cac525e86009..3ef9fdbf2cd4 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -802,6 +802,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
{
int i, co_list_num;
const SSL_CIPHER *c;
+ int support_export = !!getenv("OPENSSL_ALLOW_EXPORT");
/*
* We have num_of_ciphers descriptions compiled in, depending on the
@@ -816,6 +817,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
c = ssl_method->get_cipher(i);
/* drop those that use any of that is not available */
if ((c != NULL) && c->valid &&
+ (!(c->algo_strength & SSL_EXPORT) || support_export) &&
#ifdef OPENSSL_FIPS
(!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
#endif
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index e11746a69508..3c37ac84a058 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1871,6 +1871,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ret->wbuf_freelist->len = 0;
ret->wbuf_freelist->head = NULL;
#endif
+ /* Default is now SSLv2 disabled (CVE-2016-0800 bsc#968046 DROWN) */
+ if (!getenv("OPENSSL_ALLOW_SSL2"))
+ ret->options |= SSL_OP_NO_SSLv2;
+
#ifndef OPENSSL_NO_ENGINE
ret->client_cert_engine = NULL;
# ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
--
2.7.2
