Remove support for SSL_OP_NETSCAPE_CA_DN_BUG.

This is an ancient bug workaround for Netscape clients. The documentation talks about versions 3.x and 4.x beta. Reviewed-by: N Tim Hudson <tjh@openssl.org>

Remove support for SSL_OP_NETSCAPE_CA_DN_BUG.
This is an ancient bug workaround for Netscape clients. The documentation talks about versions 3.x and 4.x beta. Reviewed-by: N Tim Hudson <tjh@openssl.org>
3c33c6f6 · Matt Caswell · ae632974 · 3c33c6f6 · 3c33c6f6 · 3c33c6f6
隐藏空白更改
内联并排

Showing with 9 addition and 35 deletion

doc/ssl/SSL_CTX_set_options.pod doc/ssl/SSL_CTX_set_options.pod +0 -5

ssl/s3_clnt.c ssl/s3_clnt.c +3 -15

ssl/s3_srvr.c ssl/s3_srvr.c +4 -14

ssl/ssl.h ssl/ssl.h +2 -1

未找到文件。
--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
@@ -169,11 +169,6 @@ will send its list of preferences to the client and the client chooses.
 ...
-=item SSL_OP_NETSCAPE_CA_DN_BUG
-If we accept a netscape connection, demand a client cert, have a
-non-self-signed CA which does not have its CA in netscape, and the
-browser has a cert, it will crash/hang.  Works for 3.x and 4.xbeta 
 =item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG

--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2109,8 +2109,6 @@ int ssl3_get_certificate_request(SSL *s)
    for (nc = 0; nc < llen;) {
        n2s(p, l);
        if ((l + nc + 2) > llen) {
-            if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
-                goto cont;      /* netscape bugs */
            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
            SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
            goto err;
@@ -2119,14 +2117,9 @@ int ssl3_get_certificate_request(SSL *s)
        q = p;
        if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) {
-            /* If netscape tolerance is on, ignore errors */
+            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-            if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
+            SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
-                goto cont;
+            goto err;
-            else {
-                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-                SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
-                goto err;
-            }
        }
        if (q != (p + l)) {
@@ -2144,11 +2137,6 @@ int ssl3_get_certificate_request(SSL *s)
        nc += l + 2;
    }
-    if (0) {
- cont:
-        ERR_clear_error();
-    }
    /* we should setup a certificate to return.... */
    s->s3->tmp.cert_req = 1;
    s->s3->tmp.ctype_num = ctype_num;

--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2056,20 +2056,10 @@ int ssl3_send_certificate_request(SSL *s)
                    goto err;
                }
                p = ssl_handshake_start(s) + n;
-                if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) {
+                s2n(j, p);
-                    s2n(j, p);
+                i2d_X509_NAME(name, &p);
-                    i2d_X509_NAME(name, &p);
+                n += 2 + j;
-                    n += 2 + j;
+                nl += 2 + j;
-                    nl += 2 + j;
-                } else {
-                    d = p;
-                    i2d_X509_NAME(name, &p);
-                    j -= 2;
-                    s2n(j, d);
-                    j += 2;
-                    n += j;
-                    nl += j;
-                }
            }
        }
        /* else no CA names */

--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -478,7 +478,8 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,
 # define SSL_OP_PKCS1_CHECK_1                            0x0
 # define SSL_OP_PKCS1_CHECK_2                            0x0
-# define SSL_OP_NETSCAPE_CA_DN_BUG                       0x20000000L
+/* Removed as of OpenSSL 1.1.0 */
+# define SSL_OP_NETSCAPE_CA_DN_BUG                       0x0
 # define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG          0x40000000L
 /*
 * Make server add server-hello extension from early version of cryptopro