From: Bodo Möller Date: Sat, 29 Jul 2000 19:27:20 +0000 (+0000) Subject: Document rollback issues. X-Git-Tag: OpenSSL-engine-0_9_6-beta1~17^2~1 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=aa826d88e196ec13e1df4aeb2a55b8ea579aba60;hp=37569e64e8012014a4b027d896da6c6cdf372507 Document rollback issues. --- diff --git a/CHANGES b/CHANGES index 159c1e27e7..74f5bc7d00 100644 --- a/CHANGES +++ b/CHANGES @@ -4,9 +4,11 @@ Changes between 0.9.5a and 0.9.6 [xx XXX 2000] - *) Fix SSL 2.0 rollback checking: The previous implementation of the - test was never triggered due to an off-by-one error in - RSA_padding_check_SSLv23(). + *) Fix SSL 2.0 rollback checking: Due to an off-by-one error in + RSA_padding_check_SSLv23(), special padding was never detected + and thus the SSL 3.0/TLS 1.0 countermeasure against protocol + version rollback attacks was not effective. + In s23_clnt.c, don't use special rollback-attack detection padding (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the client; similarly, in s23_srvr.c, don't do the rollback check if diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 99a4358255..5050a13ef2 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -367,6 +367,7 @@ static int ssl23_get_server_hello(SSL *s) s->state=SSL2_ST_GET_SERVER_HELLO_A; if (!(s->client_version == SSL2_VERSION)) + /* use special padding (SSL 3.0 draft/RFC 2246, App. E.2) */ s->s2->ssl2_rollback=1; /* setup the 5 bytes we have read so we get them from diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index cbf2f5d836..a81544a1b6 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -499,6 +499,8 @@ int ssl23_get_client_hello(SSL *s) (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)) s->s2->ssl2_rollback=0; else + /* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0 + * (SSL 3.0 draft/RFC 2246, App. E.2) */ s->s2->ssl2_rollback=1; /* setup the n bytes we have read so we get them from