From e23e95b70f14a01a428a6d966e2cb510a4bf1cd6 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Tue, 31 Mar 2015 13:17:48 +0000 Subject: Nuke the OPENSSL_MAX_TLS1_2_CIPHER_LENGTH hack - this has to be enabled at compile time, which we do not do and are unlikely to ever do. Additionally, there are two runtime configurable alternatives that exist. ok bcook@ doug@ --- src/lib/libssl/s23_clnt.c | 12 +----------- src/lib/libssl/s3_clnt.c | 12 +----------- src/lib/libssl/src/ssl/s23_clnt.c | 12 +----------- src/lib/libssl/src/ssl/s3_clnt.c | 12 +----------- 4 files changed, 4 insertions(+), 44 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c index 0ab56fa38d..30d97683a7 100644 --- a/src/lib/libssl/s23_clnt.c +++ b/src/lib/libssl/s23_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s23_clnt.c,v 1.37 2015/03/27 12:29:54 jsing Exp $ */ +/* $OpenBSD: s23_clnt.c,v 1.38 2015/03/31 13:17:48 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -358,16 +358,6 @@ ssl23_client_hello(SSL *s) SSL_R_NO_CIPHERS_AVAILABLE); return -1; } -#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH - /* - * Some servers hang if client hello > 256 bytes - * as hack workaround chop number of supported ciphers - * to keep it well below this if we use TLS v1.2 - */ - if (TLS1_get_version(s) >= TLS1_2_VERSION && - i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) - i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; -#endif s2n(i, p); p += i; diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 07d2eb583a..8a137056be 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.110 2015/03/27 12:29:54 jsing Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.111 2015/03/31 13:17:48 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -710,16 +710,6 @@ ssl3_client_hello(SSL *s) SSL_R_NO_CIPHERS_AVAILABLE); goto err; } -#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH - /* - * Some servers hang if client hello > 256 bytes - * as hack workaround chop number of supported ciphers - * to keep it well below this if we use TLS v1.2 - */ - if (TLS1_get_version(s) >= TLS1_2_VERSION && - i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) - i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; -#endif s2n(i, p); p += i; diff --git a/src/lib/libssl/src/ssl/s23_clnt.c b/src/lib/libssl/src/ssl/s23_clnt.c index 0ab56fa38d..30d97683a7 100644 --- a/src/lib/libssl/src/ssl/s23_clnt.c +++ b/src/lib/libssl/src/ssl/s23_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s23_clnt.c,v 1.37 2015/03/27 12:29:54 jsing Exp $ */ +/* $OpenBSD: s23_clnt.c,v 1.38 2015/03/31 13:17:48 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -358,16 +358,6 @@ ssl23_client_hello(SSL *s) SSL_R_NO_CIPHERS_AVAILABLE); return -1; } -#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH - /* - * Some servers hang if client hello > 256 bytes - * as hack workaround chop number of supported ciphers - * to keep it well below this if we use TLS v1.2 - */ - if (TLS1_get_version(s) >= TLS1_2_VERSION && - i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) - i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; -#endif s2n(i, p); p += i; diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index 07d2eb583a..8a137056be 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.110 2015/03/27 12:29:54 jsing Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.111 2015/03/31 13:17:48 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -710,16 +710,6 @@ ssl3_client_hello(SSL *s) SSL_R_NO_CIPHERS_AVAILABLE); goto err; } -#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH - /* - * Some servers hang if client hello > 256 bytes - * as hack workaround chop number of supported ciphers - * to keep it well below this if we use TLS v1.2 - */ - if (TLS1_get_version(s) >= TLS1_2_VERSION && - i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) - i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; -#endif s2n(i, p); p += i; -- cgit v1.2.3-55-g6feb