Nuke the OPENSSL_MAX_TLS1_2_CIPHER_LENGTH hack - this has to be enabled at

compile time, which we do not do and are unlikely to ever do. Additionally, there are two runtime configurable alternatives that exist. ok bcook@ doug@
author: jsing <> 2015-03-31 13:17:48 +0000
committer: jsing <> 2015-03-31 13:17:48 +0000
commit: e23e95b70f14a01a428a6d966e2cb510a4bf1cd6 (patch)
tree: e8ced55c09cfc7ee22c26d09ac692040a9221168 /src/lib
parent: b5828f12ff689b9c1b62264b27b32dcbd97de33f (diff)
download: openbsd-e23e95b70f14a01a428a6d966e2cb510a4bf1cd6.tar.gz
openbsd-e23e95b70f14a01a428a6d966e2cb510a4bf1cd6.tar.bz2
openbsd-e23e95b70f14a01a428a6d966e2cb510a4bf1cd6.zip
4 files changed, 4 insertions, 44 deletions
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index 0ab56fa38d..30d97683a7 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_clnt.c,v 1.37 2015/03/27 12:29:54 jsing Exp $ */
+/* $OpenBSD: s23_clnt.c,v 1.38 2015/03/31 13:17:48 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -358,16 +358,6 @@ ssl23_client_hello(SSL *s)
                            SSL_R_NO_CIPHERS_AVAILABLE);
                        return -1;
                }
-#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
-                /*
-                 * Some servers hang if client hello > 256 bytes
-                 * as hack workaround chop number of supported ciphers
-                 * to keep it well below this if we use TLS v1.2
-                 */
-                if (TLS1_get_version(s) >= TLS1_2_VERSION &&
-                    i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
-                        i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
-#endif
                s2n(i, p);
                p += i;
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 07d2eb583a..8a137056be 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.110 2015/03/27 12:29:54 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.111 2015/03/31 13:17:48 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -710,16 +710,6 @@ ssl3_client_hello(SSL *s)
                            SSL_R_NO_CIPHERS_AVAILABLE);
                        goto err;
                }
-#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
-                        /*
-                         * Some servers hang if client hello > 256 bytes
-                         * as hack workaround chop number of supported ciphers
-                         * to keep it well below this if we use TLS v1.2
-                         */
-                if (TLS1_get_version(s) >= TLS1_2_VERSION &&
-                    i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
-                        i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
-#endif
                s2n(i, p);
                p += i;
diff --git a/src/lib/libssl/src/ssl/s23_clnt.c b/src/lib/libssl/src/ssl/s23_clnt.c
index 0ab56fa38d..30d97683a7 100644
--- a/src/lib/libssl/src/ssl/s23_clnt.c
+++ b/src/lib/libssl/src/ssl/s23_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_clnt.c,v 1.37 2015/03/27 12:29:54 jsing Exp $ */
+/* $OpenBSD: s23_clnt.c,v 1.38 2015/03/31 13:17:48 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -358,16 +358,6 @@ ssl23_client_hello(SSL *s)
                            SSL_R_NO_CIPHERS_AVAILABLE);
                        return -1;
                }
-#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
-                /*
-                 * Some servers hang if client hello > 256 bytes
-                 * as hack workaround chop number of supported ciphers
-                 * to keep it well below this if we use TLS v1.2
-                 */
-                if (TLS1_get_version(s) >= TLS1_2_VERSION &&
-                    i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
-                        i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
-#endif
                s2n(i, p);
                p += i;
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 07d2eb583a..8a137056be 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.110 2015/03/27 12:29:54 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.111 2015/03/31 13:17:48 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -710,16 +710,6 @@ ssl3_client_hello(SSL *s)
                            SSL_R_NO_CIPHERS_AVAILABLE);
                        goto err;
                }
-#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
-                        /*
-                         * Some servers hang if client hello > 256 bytes
-                         * as hack workaround chop number of supported ciphers
-                         * to keep it well below this if we use TLS v1.2
-                         */
-                if (TLS1_get_version(s) >= TLS1_2_VERSION &&
-                    i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
-                        i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
-#endif
                s2n(i, p);
                p += i;
author	jsing <>	2015-03-31 13:17:48 +0000
committer	jsing <>	2015-03-31 13:17:48 +0000
commit	e23e95b70f14a01a428a6d966e2cb510a4bf1cd6 (patch)
tree	e8ced55c09cfc7ee22c26d09ac692040a9221168 /src/lib
parent	b5828f12ff689b9c1b62264b27b32dcbd97de33f (diff)
download	openbsd-e23e95b70f14a01a428a6d966e2cb510a4bf1cd6.tar.gz openbsd-e23e95b70f14a01a428a6d966e2cb510a4bf1cd6.tar.bz2 openbsd-e23e95b70f14a01a428a6d966e2cb510a4bf1cd6.zip