[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-dev
Subject: [openssl.org #2174] SSL_CTX_new SSL_OP_LEGACY_SERVER_CONNECT may clear previously set option
From: "Stephen Henson via RT" <rt () openssl ! org>
Date: 2010-02-17 22:52:53
Message-ID: rt-3.4.5-6922-1266447172-145.2174-6-0 () openssl ! org
[Download RAW message or body]
> [thoger@redhat.com - Wed Feb 17 19:03:12 2010]:
>
> Hi!
>
> SSL_CTX_new currently contains:
>
> /* Setup RFC4507 ticket keys */
> if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0)
> || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0)
> || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0))
> ret->options |= SSL_OP_NO_TICKET;
>
> followed by:
>
> /* Default is to connect to non-RI servers. When RI is more widely
> * deployed might change this.
> */
> ret->options = SSL_OP_LEGACY_SERVER_CONNECT;
>
Fixed to |= now.
>
> Will SSL_OP_LEGACY_SERVER_CONNECT remain part of SSL_OP_ALL once
> SSL_OP_LEGACY_SERVER_CONNECT is no longer default?
>
Well I'd say yes but that does have the problem that unless existing
software is recompiled it will still use the old value (since it is a
#define).
Ideally it should be an option outside SSL_OP_ALL but 1.0.0 has run out
of new option bits and final beta isn't the time to completely
reorganise the way they are handled.
For 1.1.0 (and possibly a backport to 1.0.1) the options will be
reorganised.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic