Move SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION out of SSL_OP_ALL and move SSL_OP_NO_TL...
authorDr. Stephen Henson <steve@openssl.org>
Fri, 11 Dec 2009 00:23:12 +0000 (00:23 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 11 Dec 2009 00:23:12 +0000 (00:23 +0000)
ssl/ssl.h

index 897a8ca..dbfcca7 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -525,7 +525,7 @@ typedef struct ssl_session_st
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                        0x00000080L
 #define SSL_OP_TLS_D5_BUG                              0x00000100L
 #define SSL_OP_TLS_BLOCK_PADDING_BUG                   0x00000200L
-#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION       0x00000400L
+#define SSL_OP_NO_TLSv1_1                              0x00000400L
 
 /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
  * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
@@ -536,7 +536,7 @@ typedef struct ssl_session_st
 
 /* SSL_OP_ALL: various bug workarounds that should be rather harmless.
  *             This used to be 0x000FFFFFL before 0.9.7. */
-#define SSL_OP_ALL                                     0x80000FFFL
+#define SSL_OP_ALL                                     0x80000BFFL
 
 /* DTLS options */
 #define SSL_OP_NO_QUERY_MTU                 0x00001000L
@@ -551,6 +551,8 @@ typedef struct ssl_session_st
 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION  0x00010000L
 /* Don't use compression even if supported */
 #define SSL_OP_NO_COMPRESSION                          0x00020000L
+/* Permit unsafe legacy renegotiation */
+#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION       0x00040000L
 /* If set, always create a new key when using tmp_ecdh parameters */
 #define SSL_OP_SINGLE_ECDH_USE                         0x00080000L
 /* If set, always create a new key when using tmp_dh parameters */
@@ -570,7 +572,6 @@ typedef struct ssl_session_st
 #define SSL_OP_NO_SSLv2                                        0x01000000L
 #define SSL_OP_NO_SSLv3                                        0x02000000L
 #define SSL_OP_NO_TLSv1                                        0x04000000L
-#define SSL_OP_NO_TLSv1_1                              0x00040000L
 
 /* The next flag deliberately changes the ciphertest, this is a check
  * for the PKCS#1 attack */