Google Git
Sign in
boringssl / boringssl.git / 3cfeb9522b6fc6338327fa5beab79b28c0b2980a^! / . / include / openssl
commit3cfeb9522b6fc6338327fa5beab79b28c0b2980a[log] [tgz]
authorDavid Benjamin <davidben@google.com>Wed Mar 01 16:48:38 2017 -0500
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Tue Apr 11 16:38:16 2017 +0000
tree097b6489c1ad209fe5bb542fe476ccc52b026266
parentc1966801205f644bba603aa7ba61b604996cf9f4 [diff]
Disable SSLv3 by default.

As a precursor to removing the code entirely later, disable the protocol
by default. Callers must use SSL_CTX_set_min_version to enable it.

This change also makes SSLv3_method *not* enable SSL 3.0. Normally
version-specific methods set the minimum and maximum version to their
version. SSLv3_method leaves the minimum at the default, so we will
treat it as all versions disabled. To help debugging, the error code is
switched from WRONG_SSL_VERSION to a new NO_SUPPORTED_VERSIONS_ENABLED.

This also defines OPENSSL_NO_SSL3 and OPENSSL_NO_SSL3_METHOD to kick in
any no-ssl3 build paths in consumers which should provide a convenient
hook for any upstreaming changes that may be needed. (OPENSSL_NO_SSL3
existed in older versions of OpenSSL, so in principle one may encounter
an OpenSSL with the same settings.)

Change-Id: I96a8f2f568eb77b2537b3a774b2f7108bd67dd0c
Reviewed-on: https://boringssl-review.googlesource.com/14031
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/include/openssl/opensslconf.h b/include/openssl/opensslconf.h
index bf65fc3..deff101 100644
--- a/include/openssl/opensslconf.h
+++ b/include/openssl/opensslconf.h

@@ -52,6 +52,8 @@
 #define OPENSSL_NO_SEED
 #define OPENSSL_NO_SRP
 #define OPENSSL_NO_SSL2
+#define OPENSSL_NO_SSL3
+#define OPENSSL_NO_SSL3_METHOD
 #define OPENSSL_NO_STATIC_ENGINE
 #define OPENSSL_NO_STORE
 #define OPENSSL_NO_WHIRLPOOL

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 327f785..13ebae5 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -3402,13 +3402,15 @@
  * |DTLS_method| except they also call |SSL_CTX_set_min_proto_version| and
  * |SSL_CTX_set_max_proto_version| to lock connections to that protocol
  * version. */
-OPENSSL_EXPORT const SSL_METHOD *SSLv3_method(void);
 OPENSSL_EXPORT const SSL_METHOD *TLSv1_method(void);
 OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_method(void);
 OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_method(void);
 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_method(void);
 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_method(void);
 
+/* SSLv3_method returns an |SSL_METHOD| with no versions enabled. */
+OPENSSL_EXPORT const SSL_METHOD *SSLv3_method(void);
+
 /* These client- and server-specific methods call their corresponding generic
  * methods. */
 OPENSSL_EXPORT const SSL_METHOD *TLS_server_method(void);
@@ -4641,6 +4643,7 @@
 #define SSL_R_ALPN_MISMATCH_ON_EARLY_DATA 277
 #define SSL_R_WRONG_VERSION_ON_EARLY_DATA 278
 #define SSL_R_CHANNEL_ID_ON_EARLY_DATA 279
+#define SSL_R_NO_SUPPORTED_VERSIONS_ENABLED 280
 #define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000
 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020