SSL_OP_ALL is supposed to be all options and workarounds that are safe,

but disabling attack mitigations is not safe. 0.9.6d contained a workaround for an attack against CBC modes. 0.9.6e disabled it by default because "some" implementations couldn't handle empty fragments. 12 years have passed. Does anybody still care? Let's find out. ok miod
author: tedu <> 2014-04-28 20:05:21 +0000
committer: tedu <> 2014-04-28 20:05:21 +0000
commit: 1930e571259f12d9779f43a180c86db18518919c (patch)
tree: c6d7fa38764e2c3c5e895a7f308a8e84029f9482 /src/lib
parent: 7a4f732a85349df89eada8ce0370b3487ae64549 (diff)
download: openbsd-1930e571259f12d9779f43a180c86db18518919c.tar.gz
openbsd-1930e571259f12d9779f43a180c86db18518919c.tar.bz2
openbsd-1930e571259f12d9779f43a180c86db18518919c.zip
2 files changed, 12 insertions, 8 deletions
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index 6331601a4c..1276b2ff47 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -546,14 +546,16 @@ struct ssl_session_st {
 /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
 * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
- * the workaround is not needed.  Unfortunately some broken SSL/TLS
+ * the workaround is not needed.
- * implementations cannot handle it at all, which is why we include
+ * Unfortunately some broken SSL/TLS implementations cannot handle it
- * it in SSL_OP_ALL. */
+ * at all, which is why it was previously included in SSL_OP_ALL.
+ * Now it's not.
+ */
 #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              0x00000800L /* added in 0.9.6e */
 /* SSL_OP_ALL: various bug workarounds that should be rather harmless.
 *             This used to be 0x000FFFFFL before 0.9.7. */
-#define SSL_OP_ALL                                      0x80000BFFL
+#define SSL_OP_ALL                                      0x800004FFL
 /* DTLS options */
 #define SSL_OP_NO_QUERY_MTU                 0x00001000L
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 6331601a4c..1276b2ff47 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -546,14 +546,16 @@ struct ssl_session_st {
 /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
 * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
- * the workaround is not needed.  Unfortunately some broken SSL/TLS
+ * the workaround is not needed.
- * implementations cannot handle it at all, which is why we include
+ * Unfortunately some broken SSL/TLS implementations cannot handle it
- * it in SSL_OP_ALL. */
+ * at all, which is why it was previously included in SSL_OP_ALL.
+ * Now it's not.
+ */
 #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              0x00000800L /* added in 0.9.6e */
 /* SSL_OP_ALL: various bug workarounds that should be rather harmless.
 *             This used to be 0x000FFFFFL before 0.9.7. */
-#define SSL_OP_ALL                                      0x80000BFFL
+#define SSL_OP_ALL                                      0x800004FFL
 /* DTLS options */
 #define SSL_OP_NO_QUERY_MTU                 0x00001000L
author	tedu <>	2014-04-28 20:05:21 +0000
committer	tedu <>	2014-04-28 20:05:21 +0000
commit	1930e571259f12d9779f43a180c86db18518919c (patch)
tree	c6d7fa38764e2c3c5e895a7f308a8e84029f9482 /src/lib
parent	7a4f732a85349df89eada8ce0370b3487ae64549 (diff)
download	openbsd-1930e571259f12d9779f43a180c86db18518919c.tar.gz openbsd-1930e571259f12d9779f43a180c86db18518919c.tar.bz2 openbsd-1930e571259f12d9779f43a180c86db18518919c.zip