[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-dev
Subject:    [openssl.org #2174] SSL_CTX_new SSL_OP_LEGACY_SERVER_CONNECT may clear previously set option
From:       "Stephen Henson via RT" <rt () openssl ! org>
Date:       2010-02-17 22:52:53
Message-ID: rt-3.4.5-6922-1266447172-145.2174-6-0 () openssl ! org
[Download RAW message or body]

> [thoger@redhat.com - Wed Feb 17 19:03:12 2010]:
> 
> Hi!
> 
> SSL_CTX_new currently contains:
> 
>     /* Setup RFC4507 ticket keys */
>     if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0)
>         || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0)
>         || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0))
>         ret->options |= SSL_OP_NO_TICKET;
> 
> followed by:
> 
>     /* Default is to connect to non-RI servers. When RI is more widely
>      * deployed might change this.
>      */
>     ret->options = SSL_OP_LEGACY_SERVER_CONNECT;
> 

Fixed to |= now.

> 
> Will SSL_OP_LEGACY_SERVER_CONNECT remain part of SSL_OP_ALL once
> SSL_OP_LEGACY_SERVER_CONNECT is no longer default?
> 

Well I'd say yes but that does have the problem that unless existing
software is recompiled it will still use the old value (since it is a
#define).

Ideally it should be an option outside SSL_OP_ALL but 1.0.0 has run out
of new option bits and final beta isn't the time to completely
reorganise the way they are handled.

For 1.1.0 (and possibly a backport to 1.0.1) the options will be
reorganised.

Steve.
-- 
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]