From fabce04122b1e6a208577c06927b25595d5b5613 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 23 Jan 2000 02:28:08 +0000 Subject: [PATCH] Make s_server, s_client check cipher list return codes. Update docs. --- CHANGES | 30 +++++++++++++++++++++--------- apps/s_client.c | 8 ++++++-- apps/s_server.c | 6 +++++- doc/apps/s_client.pod | 6 ++++-- doc/apps/s_server.pod | 7 +++++-- 5 files changed, 41 insertions(+), 16 deletions(-) diff --git a/CHANGES b/CHANGES index d9be214926..a1bae7ee6d 100644 --- a/CHANGES +++ b/CHANGES @@ -20,15 +20,27 @@ (instead of parameters) in future. [Steve Henson] - *) Apply Lutz Jaenicke's 56bit cipher patch. This should fix the problems - with cipher ordering and the new EXPORT1024 ciphers. Only two minor - changes have been made, the error reason codes have been altered and the - @STRENGTH sorting behaviour changed so eNULL ciphers are also sorted - (if present). - - One other addition: the "ciphers" program didn't check the return code - of SSL_CTX_set_cipher_list(). - [Lutz Jaenicke modified by Steve Henson] + *) Make the ciphers, s_server and s_client programs check the return values + when a new cipher list is set. + [Steve Henson] + + *) Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit + ciphers. Before when the 56bit ciphers were enabled the sorting was + wrong. + + The syntax for the cipher sorting has been extended to support sorting by + cipher-strength (using the strength_bits hard coded in the tables). + The new command is "@STRENGTH" (see also doc/apps/ciphers.pod). + + Fix a bug in the cipher-command parser: when supplying a cipher command + string with an "undefined" symbol (neither command nor alphanumeric + [A-Za-z0-9], ssl_set_cipher_list used to hang in an endless loop. Now + an error is flagged. + + Due to the strength-sorting extension, the code of the + ssl_create_cipher_list() function was completely rearranged. I hope that + the readability was also increased :-) + [Lutz Jaenicke ] *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1 for the first serial number and places 2 in the serial number file. This diff --git a/apps/s_client.c b/apps/s_client.c index 84a475d7b8..c9b52e6a99 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -338,6 +338,7 @@ bad: } SSLeay_add_ssl_algorithms(); + SSL_load_error_strings(); ctx=SSL_CTX_new(meth); if (ctx == NULL) { @@ -352,7 +353,11 @@ bad: if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); if (cipher != NULL) - SSL_CTX_set_cipher_list(ctx,cipher); + if(!SSL_CTX_set_cipher_list(ctx,cipher)) { + BIO_printf(bio_err,"error seting cipher list\n"); + ERR_print_errors(bio_err); + goto end; + } #if 0 else SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER")); @@ -370,7 +375,6 @@ bad: /* goto end; */ } - SSL_load_error_strings(); con=(SSL *)SSL_new(ctx); /* SSL_set_cipher_list(con,"RC4-MD5"); */ diff --git a/apps/s_server.c b/apps/s_server.c index ff0354acc8..bbb651b6ea 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -697,7 +697,11 @@ bad: #endif if (cipher != NULL) - SSL_CTX_set_cipher_list(ctx,cipher); + if(!SSL_CTX_set_cipher_list(ctx,cipher)) { + BIO_printf(bio_err,"error seting cipher list\n"); + ERR_print_errors(bio_err); + goto end; + } SSL_CTX_set_verify(ctx,s_server_verify,verify_callback); SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context, sizeof s_server_session_id_context); diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index cd9093eaba..5145bb65a9 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -144,8 +144,10 @@ option enables various workarounds. =item B<-cipher cipherlist> -this allows the cipher list sent by the client to be modified. See the -B command for more information. +this allows the cipher list sent by the client to be modified. Although +the server determines which cipher suite is used it should take the first +supported cipher in the list sent by the client. See the B +command for more information. =back diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index ddd08c990e..e07d066bc7 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -167,8 +167,11 @@ SSL code (?). =item B<-cipher cipherlist> -this allows the cipher list sent by the client to be modified. See the -B command for more information. +this allows the cipher list used by the server to be modified. When +the client sends a list of supported ciphers the first client cipher +also included in the server list is used. Because the client specifies +the preference order, the order of the server cipherlist irrelevant. See +the B command for more information. =item B<-www> -- 2.34.1