Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
06da6e49
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
1 年多 前同步成功
通知
10
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
06da6e49
编写于
23年前
作者:
L
Lutz Jänicke
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Don't disable rollback attack detection as a recommended bug workaround.
上级
b72faddc
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
28 addition
and
14 deletion
+28
-14
CHANGES
CHANGES
+8
-0
doc/ssl/SSL_CTX_set_options.pod
doc/ssl/SSL_CTX_set_options.pod
+15
-13
ssl/ssl.h
ssl/ssl.h
+5
-1
未找到文件。
CHANGES
浏览文件 @
06da6e49
...
...
@@ -12,6 +12,14 @@
*) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
+) applies to 0.9.7 only
+) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended
bug workarounds. Rollback attack detection is a security feature.
The problem will only arise on OpenSSL servers, when TLSv1 is not
available (sslv3_server_method() or SSL_OP_NO_TLSv1).
Software authors not wanting to support TLSv1 will have special reasons
for their choice and can explicitly enable this option.
[Bodo Moeller, Lutz Jaenicke]
+) Rationalise EVP so it can be extended: don't include a union of
cipher/digest structures, add init/cleanup functions. This also reduces
the number of header dependencies.
...
...
This diff is collapsed.
Click to expand it.
doc/ssl/SSL_CTX_set_options.pod
浏览文件 @
06da6e49
...
...
@@ -100,18 +100,6 @@ doing a re-connect, always takes the first cipher in the cipher list.
...
=item SSL_OP_TLS_ROLLBACK_BUG
Disable version rollback attack detection.
During the client key exchange, the client must send the same information
about acceptable SSL/TLS protocol levels as during the first hello. Some
clients violate this rule by adapting to the server's answer. (Example:
the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server
only understands up to SSLv3. In this case the client must still use the
same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect
to the server's answer and violate the version rollback protection.)
=item SSL_OP_ALL
All of the above bug workarounds.
...
...
@@ -125,6 +113,18 @@ The following B<modifying> options are available:
=over 4
=item SSL_OP_TLS_ROLLBACK_BUG
Disable version rollback attack detection.
During the client key exchange, the client must send the same information
about acceptable SSL/TLS protocol levels as during the first hello. Some
clients violate this rule by adapting to the server's answer. (Example:
the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server
only understands up to SSLv3. In this case the client must still use the
same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect
to the server's answer and violate the version rollback protection.)
=item SSL_OP_SINGLE_DH_USE
Always create a new key when using temporary/ephemeral DH parameters
...
...
@@ -207,6 +207,8 @@ L<dhparam(1)|dhparam(1)>
SSL_OP_CIPHER_SERVER_PREFERENCE has been added in OpenSSL 0.9.7.
SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6.
SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6 and was automatically
enabled with SSL_OP_ALL. As of 0.9.7 it is no longer included in SSL_OP_ALL
and must be explicitely set.
=cut
This diff is collapsed.
Click to expand it.
ssl/ssl.h
浏览文件 @
06da6e49
...
...
@@ -332,7 +332,6 @@ typedef struct ssl_session_st
#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
#define SSL_OP_TLS_D5_BUG 0x00000100L
#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
#define SSL_OP_TLS_ROLLBACK_BUG 0x00000400L
/* If set, always create a new key when using tmp_dh parameters */
#define SSL_OP_SINGLE_DH_USE 0x00100000L
...
...
@@ -341,6 +340,11 @@ typedef struct ssl_session_st
/* Set on servers to choose the cipher according to the server's
* preferences */
#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
/* If set, a server will allow a client to issue a SSLv3.0 version number
* as latest version supported in the premaster secret, even when TLSv1.0
* (version 3.1) was announced in the client hello. Normally this is
* forbidden to prevent version rollback attacks. */
#define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L
/* The next flag deliberately changes the ciphertest, this is a check
* for the PKCS#1 attack */
...
...
This diff is collapsed.
Click to expand it.
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录
新手
引导
客服
返回
顶部