diff options
| author | jsing <> | 2014-09-21 17:11:04 +0000 |
|---|---|---|
| committer | jsing <> | 2014-09-21 17:11:04 +0000 |
| commit | c8c9d3c3e1b177e5460971854d7f727626d4b049 (patch) | |
| tree | e5cbc90250f990364220e3f3a9e5eaf4714c2bdf /src/lib/libssl/ssl.h | |
| parent | 841b225a53e89adbf4f8b877083b372f9adc0c07 (diff) | |
| download | openbsd-c8c9d3c3e1b177e5460971854d7f727626d4b049.tar.gz openbsd-c8c9d3c3e1b177e5460971854d7f727626d4b049.tar.bz2 openbsd-c8c9d3c3e1b177e5460971854d7f727626d4b049.zip | |
Move the TLS padding extension under an SSL_OP_TLSEXT_PADDING option, which
is off by default (instead of being enabled unconditionally).
The TLS padding extension was added as a workaround for a bug in F5 SSL
terminators, however appears to trigger bugs in IronPort SMTP appliances.
Now the SSL client gets to choose which of these devices it wants to
trigger bugs in...
Ported from OpenSSL.
Discussed with many.
ok miod@
Diffstat (limited to 'src/lib/libssl/ssl.h')
| -rw-r--r-- | src/lib/libssl/ssl.h | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 857709f7c5..1851cd9525 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl.h,v 1.63 2014/08/10 14:42:56 jsing Exp $ */ | 1 | /* $OpenBSD: ssl.h,v 1.64 2014/09/21 17:11:04 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -514,7 +514,7 @@ struct ssl_session_st { | |||
| 514 | /* Allow initial connection to servers that don't support RI */ | 514 | /* Allow initial connection to servers that don't support RI */ |
| 515 | #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L | 515 | #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L |
| 516 | #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L | 516 | #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L |
| 517 | #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L | 517 | #define SSL_OP_TLSEXT_PADDING 0x00000010L |
| 518 | #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L | 518 | #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L |
| 519 | #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L | 519 | #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L |
| 520 | #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L | 520 | #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L |
| @@ -524,6 +524,9 @@ struct ssl_session_st { | |||
| 524 | /* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */ | 524 | /* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */ |
| 525 | #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0 | 525 | #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0 |
| 526 | 526 | ||
| 527 | /* Refers to ancient SSLREF and SSLv2, retained for compatibility */ | ||
| 528 | #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0 | ||
| 529 | |||
| 527 | /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added | 530 | /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added |
| 528 | * in OpenSSL 0.9.6d. Usually (depending on the application protocol) | 531 | * in OpenSSL 0.9.6d. Usually (depending on the application protocol) |
| 529 | * the workaround is not needed. | 532 | * the workaround is not needed. |