Removed support for SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG. Also removed

the "-hack" option from s_server that set this option.
Reviewed-by: NTim Hudson <tjh@openssl.org>

apps/s_server.c

@@ -266,7 +266,6 @@ static int s_brief = 0;
 static char *keymatexportlabel = NULL;
 static int keymatexportlen = 20;
 
-static int hack = 0;
 #ifndef OPENSSL_NO_ENGINE
 static char *engine_id = NULL;
 #endif
@@ -423,7 +422,6 @@ static void s_server_init(void)
     s_msg = 0;
     s_quiet = 0;
     s_brief = 0;
-    hack = 0;
 # ifndef OPENSSL_NO_ENGINE
     engine_id = NULL;
 # endif
@@ -553,8 +551,6 @@ static void sv_usage(void)
     BIO_printf(bio_err,
                "-no_resume_ephemeral - Disable caching and tickets if ephemeral (EC)DH is used\n");
     BIO_printf(bio_err, " -bugs         - Turn on SSL bug compatibility\n");
-    BIO_printf(bio_err,
-               " -hack         - workaround for early Netscape code\n");
     BIO_printf(bio_err,
                " -www          - Respond to a 'GET /' with a status page\n");
     BIO_printf(bio_err,
@@ -1333,8 +1329,6 @@ int MAIN(int argc, char *argv[])
             sdebug = 1;
         } else if (strcmp(*argv, "-security_debug_verbose") == 0) {
             sdebug = 2;
-        } else if (strcmp(*argv, "-hack") == 0) {
-            hack = 1;
         } else if (strcmp(*argv, "-state") == 0) {
             state = 1;
         } else if (strcmp(*argv, "-crlf") == 0) {
@@ -1712,8 +1706,6 @@ int MAIN(int argc, char *argv[])
         BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
     }
     SSL_CTX_set_quiet_shutdown(ctx, 1);
-    if (hack)
-        SSL_CTX_set_options(ctx, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
     if (exc)
         ssl_ctx_set_excert(ctx, exc);
 
@@ -1777,8 +1769,6 @@ int MAIN(int argc, char *argv[])
             BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
         }
         SSL_CTX_set_quiet_shutdown(ctx2, 1);
-        if (hack)
-            SSL_CTX_set_options(ctx2, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
         if (exc)
             ssl_ctx_set_excert(ctx2, exc);
 
@@ -2729,43 +2719,6 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context)
     }
 
     for (;;) {
-        if (hack) {
-            i = SSL_accept(con);
-#ifndef OPENSSL_NO_SRP
-            while (i <= 0
-                   && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
-                BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
-                           srp_callback_parm.login);
-                srp_callback_parm.user =
-                    SRP_VBASE_get_by_user(srp_callback_parm.vb,
-                                          srp_callback_parm.login);
-                if (srp_callback_parm.user)
-                    BIO_printf(bio_s_out, "LOOKUP done %s\n",
-                               srp_callback_parm.user->info);
-                else
-                    BIO_printf(bio_s_out, "LOOKUP not successful\n");
-                i = SSL_accept(con);
-            }
-#endif
-            switch (SSL_get_error(con, i)) {
-            case SSL_ERROR_NONE:
-                break;
-            case SSL_ERROR_WANT_WRITE:
-            case SSL_ERROR_WANT_READ:
-            case SSL_ERROR_WANT_X509_LOOKUP:
-                continue;
-            case SSL_ERROR_SYSCALL:
-            case SSL_ERROR_SSL:
-            case SSL_ERROR_ZERO_RETURN:
-                ret = 1;
-                goto err;
-                /* break; */
-            }
-
-            SSL_renegotiate(con);
-            SSL_write(con, NULL, 0);
-        }
-
         i = BIO_gets(io, buf, bufsize - 1);
         if (i < 0) {            /* error */
             if (!BIO_should_retry(io)) {

doc/apps/s_server.pod

@@ -73,7 +73,6 @@ B<openssl> B<s_server>
 [B<-no_ecdhe>]
 [B<-bugs>]
 [B<-brief>]
-[B<-hack>]
 [B<-www>]
 [B<-WWW>]
 [B<-HTTP>]
@@ -294,11 +293,6 @@ option enables various workarounds.
 only provide a brief summary of connection parameters instead of the
 normal verbose output.
 
-=item B<-hack>
-
-this option enables a further workaround for some some early Netscape
-SSL code (?).
-
 =item B<-cipher cipherlist>
 
 this allows the cipher list used by the server to be modified.  When

doc/ssl/SSL_CTX_set_options.pod

@@ -170,9 +170,6 @@ will send its list of preferences to the client and the client chooses.
 ...
 
 
-=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
-
-...
 
 =item SSL_OP_NO_SSLv2
 

ssl/s3_srvr.c

@@ -148,7 +148,6 @@
  * OTHERWISE.
  */
 
-#define REUSE_CIPHER_BUG
 #define NETSCAPE_HANG_BUG
 
 #include <stdio.h>
@@ -1384,29 +1383,7 @@ int ssl3_get_client_hello(SSL *s)
             s->tlsext_ticket_expected = 0;
     } else {
         /* Session-id reuse */
-#ifdef REUSE_CIPHER_BUG
-        STACK_OF(SSL_CIPHER) *sk;
-        SSL_CIPHER *nc = NULL;
-        SSL_CIPHER *ec = NULL;
-
-        if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) {
-            sk = s->session->ciphers;
-            for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
-                c = sk_SSL_CIPHER_value(sk, i);
-                if (c->algorithm_enc & SSL_eNULL)
-                    nc = c;
-                if (SSL_C_IS_EXPORT(c))
-                    ec = c;
-            }
-            if (nc != NULL)
-                s->s3->tmp.new_cipher = nc;
-            else if (ec != NULL)
-                s->s3->tmp.new_cipher = ec;
-            else
-                s->s3->tmp.new_cipher = s->session->cipher;
-        } else
-#endif
-            s->s3->tmp.new_cipher = s->session->cipher;
+        s->s3->tmp.new_cipher = s->session->cipher;
     }
 
     if (!SSL_USE_SIGALGS(s) || !(s->verify_mode & SSL_VERIFY_PEER)) {

ssl/ssl.h

@@ -480,7 +480,8 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,
 
 /* Removed as of OpenSSL 1.1.0 */
 # define SSL_OP_NETSCAPE_CA_DN_BUG                       0x0
-# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG          0x40000000L
+/* Removed as of OpenSSL 1.1.0 */
+# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG          0x0L
 /*
  * Make server add server-hello extension from early version of cryptopro
  * draft, when GOST ciphersuite is negotiated. Required for interoperability