Google Git
Sign in
boringssl / boringssl.git / 3fbc298104c150ed18f10eed2d2e66633f05ee98
commit3fbc298104c150ed18f10eed2d2e66633f05ee98[log] [tgz]
authorAdam Langley <agl@google.com>Thu Feb 26 11:07:37 2015 -0800
committerAdam Langley <agl@google.com>Thu Feb 26 21:35:29 2015 +0000
treec1d8161d2b3346ab0b98e506615d7f7c14d58218
parent54e455157a6e1899eb6fef9440d2410cb7fedeff [diff]
Only allow ephemeral RSA keys in export ciphersuites.

OpenSSL clients would tolerate temporary RSA keys in non-export ciphersuites.
It also had an option SSL_OP_EPHEMERAL_RSA which enabled this server side.
Remove both options as they are a protocol violation.

Thanks to Karthikeyan Bhargavan for reporting this issue. (CVE-2015-0204)

(This is a backport of upstream's
37580f43b5a39f5f4e920d17273fab9713d3a744 to the M40 branch. In BoringSSL
master we fixed this with
https://boringssl.googlesource.com/boringssl/+/525a0fe315282ca1840f8f9f170c8a26ce5fab2a,
but that's a larger patch than we really want to be backporting.)

Change-Id: Ibfb0c46648bbecffb9d3b1a4ebdf10a5a79523b3
Reviewed-on: https://boringssl-review.googlesource.com/3640
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
1 file changed
tree: c1d8161d2b3346ab0b98e506615d7f7c14d58218
  1. crypto/
  2. doc/
  3. include/
  4. ssl/
  5. tool/
  6. util/
  7. .clang-format
  8. .gitignore
  9. BUILDING
  10. CMakeLists.txt