From: Bodo Möller <bodo@openssl.org>
Date: Thu, 6 Apr 2000 22:33:14 +0000 (+0000)
Subject: In theory, TLS v1 ciphersuites are not the same as SSL v3 ciphersuites
X-Git-Tag: OpenSSL_0_9_5~67
X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=1d90f280297195f4f1fb42fdeecd0e6f5ee98366

In theory, TLS v1 ciphersuites are not the same as SSL v3 ciphersuites
---

diff --git a/CHANGES b/CHANGES
index 4269015fa0..aa20815198 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,12 @@
 
  Changes between 0.9.5a and 0.9.6  [xx XXX 2000]
 
+  *) Add '-tls1' option to 'openssl ciphers', which was already
+     mentioned in the documentation but had not been implemented.
+     (This option is not yet really useful because even the additional
+     experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.)
+     [Bodo Moeller]
+
   *) Initial DSO code added into libcrypto for letting OpenSSL (and
      OpenSSL-based applications) load shared libraries and bind to
      them in a portable way.
diff --git a/apps/ciphers.c b/apps/ciphers.c
index f8e9e7be2e..72b2009e18 100644
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -74,6 +74,7 @@ static char *ciphers_usage[]={
 " -v          - verbose mode, a textual listing of the ciphers in SSLeay\n",
 " -ssl2       - SSL2 mode\n",
 " -ssl3       - SSL3 mode\n",
+" -tls1       - TLS1 mode\n",
 NULL
 };
 
@@ -121,6 +122,10 @@ int MAIN(int argc, char **argv)
 #ifndef NO_SSL3
 		else if (strcmp(*argv,"-ssl3") == 0)
 			meth=SSLv3_client_method();
+#endif
+#ifndef NO_TLS1
+		else if (strcmp(*argv,"-tls1") == 0)
+			meth=TLSv1_client_method();
 #endif
 		else if ((strncmp(*argv,"-h",2) == 0) ||
 			 (strcmp(*argv,"-?") == 0))
diff --git a/ssl/tls1.h b/ssl/tls1.h
index 6e2b06d34f..cf92ae034f 100644
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -84,6 +84,10 @@ extern "C" {
 #define TLS1_AD_USER_CANCELLED		90
 #define TLS1_AD_NO_RENEGOTIATION	100
 
+/* Additional TLS ciphersuites from draft-ietf-tls-56-bit-ciphersuites-00.txt
+ * (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see
+ * s3_lib.c).  We actually treat them like SSL 3.0 ciphers, which we probably
+ * shouldn't. */
 #define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5		0x03000060
 #define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5	0x03000061
 #define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA		0x03000062
@@ -92,6 +96,13 @@ extern "C" {
 #define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA	0x03000065
 #define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA		0x03000066
 
+/* XXX
+ * Inconsistency alert:
+ * The OpenSSL names of ciphers with ephemeral DH here include the string
+ * "DHE", while elsewhere it has always been "EDH".
+ * (The alias for the list of all such ciphers also is "EDH".)
+ * The specifications speak of "EDH"; maybe we should allow both forms
+ * for everything. */
 #define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5		"EXP1024-RC4-MD5"
 #define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5	"EXP1024-RC2-CBC-MD5"
 #define TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA	"EXP1024-DES-CBC-SHA"