/[smeserver]/rpms/openssl/sme8/openssl-fips-0.9.8e-cve-2010-4180.patch
ViewVC logotype

Contents of /rpms/openssl/sme8/openssl-fips-0.9.8e-cve-2010-4180.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Tue Feb 18 03:03:09 2014 UTC (10 years, 8 months ago) by wellsi
Branch: MAIN
CVS Tags: openssl-0_9_8e-28_el5_sme, openssl-0_9_8e-33_1_el5_sme, openssl-0_9_8e-32_1_el5_sme, openssl-0_9_8e-27_1_el5_sme, openssl-0_9_8e-27_el5_10_1, openssl-0_9_8e-31_1_el5_sme, HEAD
Branch point for: upstream
Initial import

1 *) Disable code workaround for ancient and obsolete Netscape browsers
2 and servers: an attacker can use it in a ciphersuite downgrade attack.
3 Thanks to Martin Rex for discovering this bug. CVE-2010-4180
4 diff -up openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod.disable-nsbug openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod
5 --- openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod.disable-nsbug 2010-12-07 17:45:32.000000000 +0100
6 +++ openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod 2010-12-07 17:45:33.000000000 +0100
7 @@ -78,18 +78,7 @@ this breaks this server so 16 bytes is t
8
9 =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
10
11 -ssl3.netscape.com:443, first a connection is established with RC4-MD5.
12 -If it is then resumed, we end up using DES-CBC3-SHA. It should be
13 -RC4-MD5 according to 7.6.1.3, 'cipher_suite'.
14 -
15 -Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug.
16 -It only really shows up when connecting via SSLv2/v3 then reconnecting
17 -via SSLv3. The cipher list changes....
18 -
19 -NEW INFORMATION. Try connecting with a cipher list of just
20 -DES-CBC-SHA:RC4-MD5. For some weird reason, each new connection uses
21 -RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when
22 -doing a re-connect, always takes the first cipher in the cipher list.
23 +This option has no effect anymore.
24
25 =item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
26
27 diff -up openssl-fips-0.9.8e/ssl/ssl.h.disable-nsbug openssl-fips-0.9.8e/ssl/ssl.h
28 --- openssl-fips-0.9.8e/ssl/ssl.h.disable-nsbug 2010-12-07 17:45:32.000000000 +0100
29 +++ openssl-fips-0.9.8e/ssl/ssl.h 2010-12-07 17:45:33.000000000 +0100
30 @@ -482,7 +482,7 @@ typedef struct ssl_session_st
31 #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
32 /* Allow initial connection to servers that don't support RI */
33 #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
34 -#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */
35 +#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* no effect anymore */
36 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
37 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
38 #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
39 diff -up openssl-fips-0.9.8e/ssl/s3_clnt.c.disable-nsbug openssl-fips-0.9.8e/ssl/s3_clnt.c
40 --- openssl-fips-0.9.8e/ssl/s3_clnt.c.disable-nsbug 2010-12-07 17:45:32.000000000 +0100
41 +++ openssl-fips-0.9.8e/ssl/s3_clnt.c 2010-12-07 17:45:33.000000000 +0100
42 @@ -752,8 +752,11 @@ int ssl3_get_server_hello(SSL *s)
43 s->session->cipher_id = s->session->cipher->id;
44 if (s->hit && (s->session->cipher_id != c->id))
45 {
46 +/* Workaround is now obsolete */
47 +#if 0
48 if (!(s->options &
49 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
50 +#endif
51 {
52 al=SSL_AD_ILLEGAL_PARAMETER;
53 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
54 diff -up openssl-fips-0.9.8e/ssl/s3_srvr.c.disable-nsbug openssl-fips-0.9.8e/ssl/s3_srvr.c
55 --- openssl-fips-0.9.8e/ssl/s3_srvr.c.disable-nsbug 2010-12-07 17:46:11.000000000 +0100
56 +++ openssl-fips-0.9.8e/ssl/s3_srvr.c 2010-12-07 17:46:15.000000000 +0100
57 @@ -870,12 +870,14 @@ int ssl3_get_client_hello(SSL *s)
58 }
59 if (j == 0)
60 {
61 +#if 0
62 if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
63 {
64 /* Very bad for multi-threading.... */
65 s->session->cipher=sk_SSL_CIPHER_value(ciphers, 0);
66 }
67 else
68 +#endif
69 {
70 /* we need to have the cipher in the cipher
71 * list if we are asked to reuse it */

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed