Don't disable rollback attack detection as a recommended bug workaround.

diff --git a/CHANGES b/CHANGES
index 0c96da129cb4fe82815bab20c4a4c19988521ccf..7ec91e58d224ab8e5b07933ec64be10897316e42 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -12,6 +12,14 @@
          *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
          +) applies to 0.9.7 only
 
          *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
          +) applies to 0.9.7 only
 

+  +) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended
+     bug workarounds. Rollback attack detection is a security feature.
+     The problem will only arise on OpenSSL servers, when TLSv1 is not
+     available (sslv3_server_method() or SSL_OP_NO_TLSv1).
+     Software authors not wanting to support TLSv1 will have special reasons
+     for their choice and can explicitly enable this option.
+     [Bodo Moeller, Lutz Jaenicke]
+

   +) Rationalise EVP so it can be extended: don't include a union of
      cipher/digest structures, add init/cleanup functions. This also reduces
      the number of header dependencies.
   +) Rationalise EVP so it can be extended: don't include a union of
      cipher/digest structures, add init/cleanup functions. This also reduces
      the number of header dependencies.

diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
index 88304ef7edfbeaee15c10a50a8f90700c0e570e9..4e7fbaedc850a06c106cc78fb6bb6f69b62a8cb8 100644 (file)
--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
@@ -100,18 +100,6 @@ doing a re-connect, always takes the first cipher in the cipher list.
 
 ...
 
 
 ...
 

-=item SSL_OP_TLS_ROLLBACK_BUG
-
-Disable version rollback attack detection.
-
-During the client key exchange, the client must send the same information
-about acceptable SSL/TLS protocol levels as during the first hello. Some
-clients violate this rule by adapting to the server's answer. (Example:
-the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server
-only understands up to SSLv3. In this case the client must still use the
-same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect
-to the server's answer and violate the version rollback protection.)
-

 =item SSL_OP_ALL
 
 All of the above bug workarounds.
 =item SSL_OP_ALL
 
 All of the above bug workarounds.


@@ -125,6 +113,18 @@ The following B<modifying> options are available:
 
 =over 4
 
 
 =over 4
 

+=item SSL_OP_TLS_ROLLBACK_BUG
+
+Disable version rollback attack detection.
+
+During the client key exchange, the client must send the same information
+about acceptable SSL/TLS protocol levels as during the first hello. Some
+clients violate this rule by adapting to the server's answer. (Example:
+the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server
+only understands up to SSLv3. In this case the client must still use the
+same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect
+to the server's answer and violate the version rollback protection.)
+

 =item SSL_OP_SINGLE_DH_USE
 
 Always create a new key when using temporary/ephemeral DH parameters
 =item SSL_OP_SINGLE_DH_USE
 
 Always create a new key when using temporary/ephemeral DH parameters


@@ -207,6 +207,8 @@ L<dhparam(1)|dhparam(1)>
 
 SSL_OP_CIPHER_SERVER_PREFERENCE has been added in OpenSSL 0.9.7.
 
 
 SSL_OP_CIPHER_SERVER_PREFERENCE has been added in OpenSSL 0.9.7.
 

-SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6.
+SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6 and was automatically
+enabled with SSL_OP_ALL. As of 0.9.7 it is no longer included in SSL_OP_ALL
+and must be explicitely set.

 
 =cut
 
 =cut

diff --git a/ssl/ssl.h b/ssl/ssl.h
index dc80ae9e43771a4e42996b04104862dba7c6e7da..8f5d0a4d4754c8d00146490613d9ef4888e75402 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -332,7 +332,6 @@ typedef struct ssl_session_st
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                        0x00000080L
 #define SSL_OP_TLS_D5_BUG                              0x00000100L
 #define SSL_OP_TLS_BLOCK_PADDING_BUG                   0x00000200L
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                        0x00000080L
 #define SSL_OP_TLS_D5_BUG                              0x00000100L
 #define SSL_OP_TLS_BLOCK_PADDING_BUG                   0x00000200L

-#define SSL_OP_TLS_ROLLBACK_BUG                                0x00000400L

 
 /* If set, always create a new key when using tmp_dh parameters */
 #define SSL_OP_SINGLE_DH_USE                           0x00100000L
 
 /* If set, always create a new key when using tmp_dh parameters */
 #define SSL_OP_SINGLE_DH_USE                           0x00100000L


@@ -341,6 +340,11 @@ typedef struct ssl_session_st
 /* Set on servers to choose the cipher according to the server's
  * preferences */
 #define SSL_OP_CIPHER_SERVER_PREFERENCE                        0x00400000L
 /* Set on servers to choose the cipher according to the server's
  * preferences */
 #define SSL_OP_CIPHER_SERVER_PREFERENCE                        0x00400000L

+/* If set, a server will allow a client to issue a SSLv3.0 version number
+ * as latest version supported in the premaster secret, even when TLSv1.0
+ * (version 3.1) was announced in the client hello. Normally this is
+ * forbidden to prevent version rollback attacks. */
+#define SSL_OP_TLS_ROLLBACK_BUG                                0x00800000L

 
 /* The next flag deliberately changes the ciphertest, this is a check
  * for the PKCS#1 attack */
 
 /* The next flag deliberately changes the ciphertest, this is a check
  * for the PKCS#1 attack */