boringssl

History

David Benjamin 3cfeb9522b Disable SSLv3 by default. As a precursor to removing the code entirely later, disable the protocol by default. Callers must use SSL_CTX_set_min_version to enable it. This change also makes SSLv3_method not enable SSL 3.0. Normally version-specific methods set the minimum and maximum version to their version. SSLv3_method leaves the minimum at the default, so we will treat it as all versions disabled. To help debugging, the error code is switched from WRONG_SSL_VERSION to a new NO_SUPPORTED_VERSIONS_ENABLED. This also defines OPENSSL_NO_SSL3 and OPENSSL_NO_SSL3_METHOD to kick in any no-ssl3 build paths in consumers which should provide a convenient hook for any upstreaming changes that may be needed. (OPENSSL_NO_SSL3 existed in older versions of OpenSSL, so in principle one may encounter an OpenSSL with the same settings.) Change-Id: I96a8f2f568eb77b2537b3a774b2f7108bd67dd0c Reviewed-on: https://boringssl-review.googlesource.com/14031 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>	2017-04-11 16:38:16 +00:00
..
openssl	Disable SSLv3 by default.	2017-04-11 16:38:16 +00:00

David Benjamin 3cfeb9522b Disable SSLv3 by default.

As a precursor to removing the code entirely later, disable the protocol
by default. Callers must use SSL_CTX_set_min_version to enable it.

This change also makes SSLv3_method *not* enable SSL 3.0. Normally
version-specific methods set the minimum and maximum version to their
version. SSLv3_method leaves the minimum at the default, so we will
treat it as all versions disabled. To help debugging, the error code is
switched from WRONG_SSL_VERSION to a new NO_SUPPORTED_VERSIONS_ENABLED.

This also defines OPENSSL_NO_SSL3 and OPENSSL_NO_SSL3_METHOD to kick in
any no-ssl3 build paths in consumers which should provide a convenient
hook for any upstreaming changes that may be needed. (OPENSSL_NO_SSL3
existed in older versions of OpenSSL, so in principle one may encounter
an OpenSSL with the same settings.)

Change-Id: I96a8f2f568eb77b2537b3a774b2f7108bd67dd0c
Reviewed-on: https://boringssl-review.googlesource.com/14031
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

2017-04-11 16:38:16 +00:00

openssl

Disable SSLv3 by default.

2017-04-11 16:38:16 +00:00