|
 |
0bf02d |
diff -up openssl-1.1.1-pre8/apps/s_client.c.disable-ssl3 openssl-1.1.1-pre8/apps/s_client.c
|
|
|
0bf02d |
--- openssl-1.1.1-pre8/apps/s_client.c.disable-ssl3 2018-07-16 18:08:20.000487628 +0200
|
|
|
0bf02d |
+++ openssl-1.1.1-pre8/apps/s_client.c 2018-07-16 18:16:40.070186323 +0200
|
|
|
0bf02d |
@@ -1681,6 +1681,9 @@ int s_client_main(int argc, char **argv)
|
|
|
0bf02d |
if (sdebug)
|
|
|
0bf02d |
ssl_ctx_security_debug(ctx, sdebug);
|
|
|
0bf02d |
|
|
|
0bf02d |
+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
|
|
|
0bf02d |
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
|
|
0bf02d |
+
|
|
|
0bf02d |
if (!config_ctx(cctx, ssl_args, ctx))
|
|
|
0bf02d |
goto end;
|
|
|
0bf02d |
|
|
|
0bf02d |
diff -up openssl-1.1.1-pre8/apps/s_server.c.disable-ssl3 openssl-1.1.1-pre8/apps/s_server.c
|
|
|
0bf02d |
--- openssl-1.1.1-pre8/apps/s_server.c.disable-ssl3 2018-07-16 18:08:20.000487628 +0200
|
|
|
0bf02d |
+++ openssl-1.1.1-pre8/apps/s_server.c 2018-07-16 18:17:17.300055551 +0200
|
|
|
0bf02d |
@@ -1760,6 +1760,9 @@ int s_server_main(int argc, char *argv[]
|
|
|
0bf02d |
if (sdebug)
|
|
|
0bf02d |
ssl_ctx_security_debug(ctx, sdebug);
|
|
|
0bf02d |
|
|
|
0bf02d |
+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
|
|
|
0bf02d |
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
|
|
0bf02d |
+
|
|
|
0bf02d |
if (!config_ctx(cctx, ssl_args, ctx))
|
|
|
0bf02d |
goto end;
|
|
|
0bf02d |
|
|
|
0bf02d |
diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.1-pre8/ssl/ssl_lib.c
|
|
|
0bf02d |
--- openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 2018-06-20 16:48:13.000000000 +0200
|
|
|
0bf02d |
+++ openssl-1.1.1-pre8/ssl/ssl_lib.c 2018-07-16 18:08:20.001487652 +0200
|
|
|
0bf02d |
@@ -3016,6 +3016,16 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
|
|
0bf02d |
*/
|
|
|
0bf02d |
ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
|
|
|
0bf02d |
|
|
|
0bf02d |
+ if (meth->version != SSL3_VERSION) {
|
|
|
0bf02d |
+ /*
|
|
|
0bf02d |
+ * Disable SSLv3 by default. Applications can
|
|
|
0bf02d |
+ * re-enable it by configuring
|
|
|
0bf02d |
+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
|
|
0bf02d |
+ * or by using the SSL_CONF API.
|
|
|
0bf02d |
+ */
|
|
|
0bf02d |
+ ret->options |= SSL_OP_NO_SSLv3;
|
|
|
0bf02d |
+ }
|
|
|
0bf02d |
+
|
|
|
0bf02d |
ret->ext.status_type = TLSEXT_STATUSTYPE_nothing;
|
|
|
0bf02d |
|
|
|
0bf02d |
/*
|
|
|
0bf02d |
diff -up openssl-1.1.1-pre8/test/ssl_test.c.disable-ssl3 openssl-1.1.1-pre8/test/ssl_test.c
|
|
|
0bf02d |
--- openssl-1.1.1-pre8/test/ssl_test.c.disable-ssl3 2018-06-20 16:48:15.000000000 +0200
|
|
|
0bf02d |
+++ openssl-1.1.1-pre8/test/ssl_test.c 2018-07-16 18:18:34.806865121 +0200
|
|
|
0bf02d |
@@ -443,6 +443,7 @@ static int test_handshake(int idx)
|
|
|
0bf02d |
SSL_TEST_SERVERNAME_CB_NONE) {
|
|
|
0bf02d |
if (!TEST_ptr(server2_ctx = SSL_CTX_new(TLS_server_method())))
|
|
|
0bf02d |
goto err;
|
|
|
0bf02d |
+ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
|
|
|
0bf02d |
if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx,
|
|
|
0bf02d |
TLS_MAX_VERSION)))
|
|
|
0bf02d |
goto err;
|
|
|
0bf02d |
@@ -464,6 +465,8 @@ static int test_handshake(int idx)
|
|
|
0bf02d |
if (!TEST_ptr(resume_server_ctx)
|
|
|
0bf02d |
|| !TEST_ptr(resume_client_ctx))
|
|
|
0bf02d |
goto err;
|
|
|
0bf02d |
+ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
|
|
|
0bf02d |
+ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
|
|
|
0bf02d |
}
|
|
|
0bf02d |
}
|
|
|
0bf02d |
|
|
|
0bf02d |
@@ -477,6 +480,9 @@ static int test_handshake(int idx)
|
|
|
0bf02d |
|| !TEST_int_gt(CONF_modules_load(conf, test_app, 0), 0))
|
|
|
0bf02d |
goto err;
|
|
|
0bf02d |
|
|
|
0bf02d |
+ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
|
|
|
0bf02d |
+ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
|
|
|
0bf02d |
+
|
|
|
0bf02d |
if (!SSL_CTX_config(server_ctx, "server")
|
|
|
0bf02d |
|| !SSL_CTX_config(client_ctx, "client")) {
|
|
|
0bf02d |
goto err;
|
|
|
0bf02d |
diff -up openssl-1.1.1-pre8/test/ssltest_old.c.disable-ssl3 openssl-1.1.1-pre8/test/ssltest_old.c
|
|
|
0bf02d |
--- openssl-1.1.1-pre8/test/ssltest_old.c.disable-ssl3 2018-06-20 16:48:15.000000000 +0200
|
|
|
0bf02d |
+++ openssl-1.1.1-pre8/test/ssltest_old.c 2018-07-16 18:08:20.002487676 +0200
|
|
|
0bf02d |
@@ -1358,6 +1358,11 @@ int main(int argc, char *argv[])
|
|
|
0bf02d |
ERR_print_errors(bio_err);
|
|
|
0bf02d |
goto end;
|
|
|
0bf02d |
}
|
|
|
0bf02d |
+
|
|
|
0bf02d |
+ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
|
|
|
0bf02d |
+ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
|
|
|
0bf02d |
+ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
|
|
|
0bf02d |
+
|
|
|
0bf02d |
/*
|
|
|
0bf02d |
* Since we will use low security ciphersuites and keys for testing set
|
|
|
0bf02d |
* security level to zero by default. Tests can override this by adding
|