diff options
| author | jsing <> | 2015-02-22 15:54:27 +0000 |
|---|---|---|
| committer | jsing <> | 2015-02-22 15:54:27 +0000 |
| commit | 78601da9335579c01a88b356a8323117f14ec379 (patch) | |
| tree | 38ba794e823ec25b4428f85632c6cdd2573912da /src/lib/libssl/ssl3.h | |
| parent | 9ca594bf596db20fe3bf5a6e78e6df39cf9e10cd (diff) | |
| download | openbsd-78601da9335579c01a88b356a8323117f14ec379.tar.gz openbsd-78601da9335579c01a88b356a8323117f14ec379.tar.bz2 openbsd-78601da9335579c01a88b356a8323117f14ec379.zip | |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and
attempt to establish a second connection at a lower protocol after the
previous attempt unexpectedly failed, to be notified and have the second
connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is
dangerous. Despite this, in order to maintain maximum compatability with
broken web servers, most mainstream browsers implement this. Furthermore,
TLS_FALLBACK_SCSV only works if both the client and server support it and
there is effectively no way to tell if this is the case, unless you control
both ends.
Unfortunately, various auditors and vulnerability scanners (including
certain online assessment websites) consider the presence of a not yet
standardised feature to be important for security, even if the clients do
not perform client-side downgrade or the server only supports current TLS
protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
Diffstat (limited to 'src/lib/libssl/ssl3.h')
| -rw-r--r-- | src/lib/libssl/ssl3.h | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h index 644e8df16b..61f600c55d 100644 --- a/src/lib/libssl/ssl3.h +++ b/src/lib/libssl/ssl3.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl3.h,v 1.35 2015/02/12 03:45:25 jsing Exp $ */ | 1 | /* $OpenBSD: ssl3.h,v 1.36 2015/02/22 15:54:27 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -125,9 +125,12 @@ | |||
| 125 | extern "C" { | 125 | extern "C" { |
| 126 | #endif | 126 | #endif |
| 127 | 127 | ||
| 128 | /* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */ | 128 | /* TLS_EMPTY_RENEGOTIATION_INFO_SCSV from RFC 5746. */ |
| 129 | #define SSL3_CK_SCSV 0x030000FF | 129 | #define SSL3_CK_SCSV 0x030000FF |
| 130 | 130 | ||
| 131 | /* TLS_FALLBACK_SCSV from draft-ietf-tls-downgrade-scsv-03. */ | ||
| 132 | #define SSL3_CK_FALLBACK_SCSV 0x03005600 | ||
| 133 | |||
| 131 | #define SSL3_CK_RSA_NULL_MD5 0x03000001 | 134 | #define SSL3_CK_RSA_NULL_MD5 0x03000001 |
| 132 | #define SSL3_CK_RSA_NULL_SHA 0x03000002 | 135 | #define SSL3_CK_RSA_NULL_SHA 0x03000002 |
| 133 | #define SSL3_CK_RSA_RC4_40_MD5 0x03000003 | 136 | #define SSL3_CK_RSA_RC4_40_MD5 0x03000003 |