boringssl

kris/boringssl

Fork 0

Commit Graph

Author	SHA1	Message	Date
David Benjamin	3cfeb9522b	Disable SSLv3 by default. As a precursor to removing the code entirely later, disable the protocol by default. Callers must use SSL_CTX_set_min_version to enable it. This change also makes SSLv3_method not enable SSL 3.0. Normally version-specific methods set the minimum and maximum version to their version. SSLv3_method leaves the minimum at the default, so we will treat it as all versions disabled. To help debugging, the error code is switched from WRONG_SSL_VERSION to a new NO_SUPPORTED_VERSIONS_ENABLED. This also defines OPENSSL_NO_SSL3 and OPENSSL_NO_SSL3_METHOD to kick in any no-ssl3 build paths in consumers which should provide a convenient hook for any upstreaming changes that may be needed. (OPENSSL_NO_SSL3 existed in older versions of OpenSSL, so in principle one may encounter an OpenSSL with the same settings.) Change-Id: I96a8f2f568eb77b2537b3a774b2f7108bd67dd0c Reviewed-on: https://boringssl-review.googlesource.com/14031 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>	2017-04-11 16:38:16 +00:00
David Benjamin	e593fed378	Rename opensslfeatures.h to opensslconf.h. Some software #includes opensslconf.h which typically contains settings that we put in opensslfeatures.h (a header name not in OpenSSL). Rename it to opensslconf.h. Change-Id: Icd21dde172e5e489ce90dd5c16ae4d2696909fb6 Reviewed-on: https://boringssl-review.googlesource.com/7216 Reviewed-by: Adam Langley <agl@google.com>	2016-02-26 01:32:50 +00:00

Author

SHA1

Message

Date

David Benjamin

3cfeb9522b

Disable SSLv3 by default.

As a precursor to removing the code entirely later, disable the protocol
by default. Callers must use SSL_CTX_set_min_version to enable it.

This change also makes SSLv3_method *not* enable SSL 3.0. Normally
version-specific methods set the minimum and maximum version to their
version. SSLv3_method leaves the minimum at the default, so we will
treat it as all versions disabled. To help debugging, the error code is
switched from WRONG_SSL_VERSION to a new NO_SUPPORTED_VERSIONS_ENABLED.

This also defines OPENSSL_NO_SSL3 and OPENSSL_NO_SSL3_METHOD to kick in
any no-ssl3 build paths in consumers which should provide a convenient
hook for any upstreaming changes that may be needed. (OPENSSL_NO_SSL3
existed in older versions of OpenSSL, so in principle one may encounter
an OpenSSL with the same settings.)

Change-Id: I96a8f2f568eb77b2537b3a774b2f7108bd67dd0c
Reviewed-on: https://boringssl-review.googlesource.com/14031
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

2017-04-11 16:38:16 +00:00

David Benjamin

e593fed378

Rename opensslfeatures.h to opensslconf.h.

Some software #includes opensslconf.h which typically contains settings that we
put in opensslfeatures.h (a header name not in OpenSSL). Rename it to
opensslconf.h.

Change-Id: Icd21dde172e5e489ce90dd5c16ae4d2696909fb6
Reviewed-on: https://boringssl-review.googlesource.com/7216
Reviewed-by: Adam Langley <agl@google.com>

2016-02-26 01:32:50 +00:00

2 Commits