Disable SSLv2 default build, default negotiation and weak ciphers.

SSLv2 is by default disabled at build-time. Builds that are not configured with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will need to explicitly call either of: SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or SSL_clear_options(ssl, SSL_OP_NO_SSLv2); as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client or server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available. Mitigation for CVE-2016-0800 Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-17 21:07:48 -05:00 · 2016-02-17 21:07:48 -05:00 · 9dfd2be8a1
parent c175308407
commit 9dfd2be8a1
6 changed files with 42 additions and 3 deletions
--- a/17
+++ b/17
@ -4,6 +4,23 @@

 Changes between 1.0.2f and 1.0.2g [xx XXX xxxx]

+  * Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
+    is by default disabled at build-time.  Builds that are not configured with
+    "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
+    users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
+    will need to explicitly call either of:
+
+        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
+    or
+        SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
+
+    as appropriate.  Even if either of those is used, or the application
+    explicitly uses the version-specific SSLv2_method() or its client and
+    server variants, SSLv2 ciphers vulnerable to exhaustive search key
+    recovery have been removed.  Specifically, the SSLv2 40-bit EXPORT
+    ciphers, and SSLv2 56-bit DES are no longer available.
+    [Viktor Dukhovni]
+    
  *) Disable SRP fake user seed to address a server memory leak.

     Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
--- a/1
+++ b/1
@ -784,6 +784,7 @@ my %disabled = ( # "what"         => "comment" [or special keyword "experimental
 		 "sctp"           => "default",
 		 "shared"         => "default",
 		 "ssl-trace"	  => "default",
+		 "ssl2"           => "default",
 		 "store"	  => "experimental",
 		 "unit-test"	  => "default",
 		 "zlib"           => "default",
--- a/2
+++ b/2
@ -7,7 +7,7 @@

  Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [under development]

-      o
+      o Disable SSLv2 default build, default negotiation and weak ciphers.

  Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]

--- a/ssl/s2_lib.c
+++ b/ssl/s2_lib.c
@ -156,6 +156,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
     128,
     },

+# if 0
 /* RC4_128_EXPORT40_WITH_MD5 */
    {
     1,
@ -171,6 +172,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
     40,
     128,
     },
+# endif

 /* RC2_128_CBC_WITH_MD5 */
    {
@ -188,6 +190,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
     128,
     },

+# if 0
 /* RC2_128_CBC_EXPORT40_WITH_MD5 */
    {
     1,
@ -203,6 +206,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
     40,
     128,
     },
+# endif

 # ifndef OPENSSL_NO_IDEA
 /* IDEA_128_CBC_WITH_MD5 */
@ -222,6 +226,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
     },
 # endif

+# if 0
 /* DES_64_CBC_WITH_MD5 */
    {
     1,
@ -237,6 +242,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
     56,
     56,
     },
+# endif

 /* DES_192_EDE3_CBC_WITH_MD5 */
    {
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@ -330,11 +330,19 @@ static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value)
        SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
        SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2)
    };
+    int ret;
+    int sslv2off;
+
    if (!(cctx->flags & SSL_CONF_FLAG_FILE))
        return -2;
    cctx->tbl = ssl_protocol_list;
    cctx->ntbl = sizeof(ssl_protocol_list) / sizeof(ssl_flag_tbl);
-    return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
+
+    sslv2off = *cctx->poptions & SSL_OP_NO_SSLv2;
+    ret = CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
+    /* Never turn on SSLv2 through configuration */
+    *cctx->poptions |= sslv2off;
+    return ret;
 }

 static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -2054,6 +2054,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
     */
    ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;

+    /*
+     * Disable SSLv2 by default, callers that want to enable SSLv2 will have to
+     * explicitly clear this option via either of SSL_CTX_clear_options() or
+     * SSL_clear_options().
+     */
+    ret->options |= SSL_OP_NO_SSLv2;
+
    return (ret);
 err:
    SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);