B<only>: this option is currently set by default. See the
B<SECURE RENEGOTIATION> section for more details.
+=item SSL_OP_NO_ENCRYPT_THEN_MAC
+
+Normally clients and servers will transparently attempt to negotiate the
+RFC7366 Encrypt-then-MAC option on TLS and DTLS connection.
+
+If this option is set, Encrypt-then-MAC is disabled. Clients will not
+propose, and servers will not accept the extension.
+
=back
=head1 SECURE RENEGOTIATION
# define SSL_OP_NO_COMPRESSION 0x00020000U
/* Permit unsafe legacy renegotiation */
# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000U
+/* Disable encrypt-then-mac */
+# define SSL_OP_NO_ENCRYPT_THEN_MAC 0x00080000U
/*
* Set on servers to choose the cipher according to the server's preferences
*/
* silently failed to actually do it. It is fixed in 1.1.1 but to
* ease the transition especially from 1.1.0b to 1.1.0c, we just
* disable it in 1.1.0.
+ * Also skip if SSL_OP_NO_ENCRYPT_THEN_MAC is set.
*/
- if (!SSL_IS_DTLS(s)) {
+ if (!SSL_IS_DTLS(s) && !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) {
/*-
* check for enough space.
* 4 bytes for the ETM type and extension length
return 0;
}
#endif
- else if (type == TLSEXT_TYPE_encrypt_then_mac)
+ else if (type == TLSEXT_TYPE_encrypt_then_mac &&
+ !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
s->tlsext_use_etm = 1;
/*
* Note: extended master secret extension handled in
#endif
else if (type == TLSEXT_TYPE_encrypt_then_mac) {
/* Ignore if inappropriate ciphersuite */
- if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
+ if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) &&
+ s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
&& s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
s->tlsext_use_etm = 1;
} else if (type == TLSEXT_TYPE_extended_master_secret) {