From 3c33c6f6b10864355553961e638514a6d1bb00f6 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 5 Feb 2015 15:57:54 +0000 Subject: [PATCH] Remove support for SSL_OP_NETSCAPE_CA_DN_BUG. This is an ancient bug workaround for Netscape clients. The documentation talks about versions 3.x and 4.x beta. Reviewed-by: Tim Hudson --- doc/ssl/SSL_CTX_set_options.pod | 5 ----- ssl/s3_clnt.c | 18 +++--------------- ssl/s3_srvr.c | 18 ++++-------------- ssl/ssl.h | 3 ++- 4 files changed, 9 insertions(+), 35 deletions(-) diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index 593435c493..dc3d4f188a 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -169,11 +169,6 @@ will send its list of preferences to the client and the client chooses. ... -=item SSL_OP_NETSCAPE_CA_DN_BUG - -If we accept a netscape connection, demand a client cert, have a -non-self-signed CA which does not have its CA in netscape, and the -browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta =item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 5e2b543e6b..4d7d05b608 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -2109,8 +2109,6 @@ int ssl3_get_certificate_request(SSL *s) for (nc = 0; nc < llen;) { n2s(p, l); if ((l + nc + 2) > llen) { - if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) - goto cont; /* netscape bugs */ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG); goto err; @@ -2119,14 +2117,9 @@ int ssl3_get_certificate_request(SSL *s) q = p; if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) { - /* If netscape tolerance is on, ignore errors */ - if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) - goto cont; - else { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB); - goto err; - } + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); + SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB); + goto err; } if (q != (p + l)) { @@ -2144,11 +2137,6 @@ int ssl3_get_certificate_request(SSL *s) nc += l + 2; } - if (0) { - cont: - ERR_clear_error(); - } - /* we should setup a certificate to return.... */ s->s3->tmp.cert_req = 1; s->s3->tmp.ctype_num = ctype_num; diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index f31b76a96a..8819fed777 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -2056,20 +2056,10 @@ int ssl3_send_certificate_request(SSL *s) goto err; } p = ssl_handshake_start(s) + n; - if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) { - s2n(j, p); - i2d_X509_NAME(name, &p); - n += 2 + j; - nl += 2 + j; - } else { - d = p; - i2d_X509_NAME(name, &p); - j -= 2; - s2n(j, d); - j += 2; - n += j; - nl += j; - } + s2n(j, p); + i2d_X509_NAME(name, &p); + n += 2 + j; + nl += 2 + j; } } /* else no CA names */ diff --git a/ssl/ssl.h b/ssl/ssl.h index a3b8a81fe3..8eed2caa54 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -478,7 +478,8 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type, # define SSL_OP_PKCS1_CHECK_1 0x0 # define SSL_OP_PKCS1_CHECK_2 0x0 -# define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L +/* Removed as of OpenSSL 1.1.0 */ +# define SSL_OP_NETSCAPE_CA_DN_BUG 0x0 # define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L /* * Make server add server-hello extension from early version of cryptopro -- 2.34.1