Document rollback issues.

aa826d88 · Bodo Möller · 37569e64 · aa826d88 · aa826d88 · aa826d88
隐藏空白更改
内联并排

Showing with 8 addition and 3 deletion

CHANGES CHANGES +5 -3

ssl/s23_clnt.c ssl/s23_clnt.c +1 -0

ssl/s23_srvr.c ssl/s23_srvr.c +2 -0

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -4,9 +4,11 @@

 Changes between 0.9.5a and 0.9.6  [xx XXX 2000]

-  *) Fix SSL 2.0 rollback checking: The previous implementation of the
-     test was never triggered due to an off-by-one error in
-     RSA_padding_check_SSLv23().
+  *) Fix SSL 2.0 rollback checking: Due to an off-by-one error in
+     RSA_padding_check_SSLv23(), special padding was never detected
+     and thus the SSL 3.0/TLS 1.0 countermeasure against protocol
+     version rollback attacks was not effective.
+
     In s23_clnt.c, don't use special rollback-attack detection padding
     (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the
     client; similarly, in s23_srvr.c, don't do the rollback check if

--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -367,6 +367,7 @@ static int ssl23_get_server_hello(SSL *s)

 		s->state=SSL2_ST_GET_SERVER_HELLO_A;
 		if (!(s->client_version == SSL2_VERSION))
+			/* use special padding (SSL 3.0 draft/RFC 2246, App. E.2) */
 			s->s2->ssl2_rollback=1;

 		/* setup the 5 bytes we have read so we get them from

--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -499,6 +499,8 @@ int ssl23_get_client_hello(SSL *s)
 			(s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3))
 			s->s2->ssl2_rollback=0;
 		else
+			/* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0
+			 * (SSL 3.0 draft/RFC 2246, App. E.2) */
 			s->s2->ssl2_rollback=1;

 		/* setup the n bytes we have read so we get them from