From 9dfd2be8a1761fffd152a92d8f1b356ad667eea7 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Wed, 17 Feb 2016 21:07:48 -0500 Subject: [PATCH] Disable SSLv2 default build, default negotiation and weak ciphers. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SSLv2 is by default disabled at build-time. Builds that are not configured with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will need to explicitly call either of: SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or SSL_clear_options(ssl, SSL_OP_NO_SSLv2); as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client or server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available. Mitigation for CVE-2016-0800 Reviewed-by: Emilia Käsper Upstream-Status: Backport https://git.openssl.org/?p=openssl.git;a=commit;h=9dfd2be8a1761fffd152a92d8f1b356ad667eea7 CVE: CVE-2016-0800 Signed-off-by: Armin Kuster --- CHANGES | 17 +++++++++++++++++ Configure | 3 ++- NEWS | 2 +- ssl/s2_lib.c | 6 ++++++ ssl/ssl_conf.c | 10 +++++++++- ssl/ssl_lib.c | 7 +++++++ 6 files changed, 42 insertions(+), 3 deletions(-) Index: openssl-1.0.2d/Configure =================================================================== --- openssl-1.0.2d.orig/Configure +++ openssl-1.0.2d/Configure @@ -847,9 +847,10 @@ my %disabled = ( # "what" => "co "md2" => "default", "rc5" => "default", "rfc3779" => "default", - "sctp" => "default", + "sctp" => "default", "shared" => "default", "ssl-trace" => "default", + "ssl2" => "default", "store" => "experimental", "unit-test" => "default", "zlib" => "default", Index: openssl-1.0.2d/ssl/s2_lib.c =================================================================== --- openssl-1.0.2d.orig/ssl/s2_lib.c +++ openssl-1.0.2d/ssl/s2_lib.c @@ -156,6 +156,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip 128, }, +# if 0 /* RC4_128_EXPORT40_WITH_MD5 */ { 1, @@ -171,6 +172,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip 40, 128, }, +# endif /* RC2_128_CBC_WITH_MD5 */ { @@ -188,6 +190,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip 128, }, +# if 0 /* RC2_128_CBC_EXPORT40_WITH_MD5 */ { 1, @@ -203,6 +206,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip 40, 128, }, +# endif # ifndef OPENSSL_NO_IDEA /* IDEA_128_CBC_WITH_MD5 */ @@ -222,6 +226,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip }, # endif +# if 0 /* DES_64_CBC_WITH_MD5 */ { 1, @@ -237,6 +242,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip 56, 56, }, +# endif /* DES_192_EDE3_CBC_WITH_MD5 */ { Index: openssl-1.0.2d/ssl/ssl_conf.c =================================================================== --- openssl-1.0.2d.orig/ssl/ssl_conf.c +++ openssl-1.0.2d/ssl/ssl_conf.c @@ -330,11 +330,19 @@ static int cmd_Protocol(SSL_CONF_CTX *cc SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1), SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2) }; + int ret; + int sslv2off; + if (!(cctx->flags & SSL_CONF_FLAG_FILE)) return -2; cctx->tbl = ssl_protocol_list; cctx->ntbl = sizeof(ssl_protocol_list) / sizeof(ssl_flag_tbl); - return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); + + sslv2off = *cctx->poptions & SSL_OP_NO_SSLv2; + ret = CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); + /* Never turn on SSLv2 through configuration */ + *cctx->poptions |= sslv2off; + return ret; } static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) Index: openssl-1.0.2d/ssl/ssl_lib.c =================================================================== --- openssl-1.0.2d.orig/ssl/ssl_lib.c +++ openssl-1.0.2d/ssl/ssl_lib.c @@ -2052,6 +2052,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m */ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; + /* + * Disable SSLv2 by default, callers that want to enable SSLv2 will have to + * explicitly clear this option via either of SSL_CTX_clear_options() or + * SSL_clear_options(). + */ + ret->options |= SSL_OP_NO_SSLv2; + return (ret); err: SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); Index: openssl-1.0.2d/CHANGES =================================================================== --- openssl-1.0.2d.orig/CHANGES +++ openssl-1.0.2d/CHANGES @@ -2,6 +2,25 @@ OpenSSL CHANGES _______________ + + * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 + is by default disabled at build-time. Builds that are not configured with + "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, + users who want to negotiate SSLv2 via the version-flexible SSLv23_method() + will need to explicitly call either of: + + SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); + or + SSL_clear_options(ssl, SSL_OP_NO_SSLv2); + + as appropriate. Even if either of those is used, or the application + explicitly uses the version-specific SSLv2_method() or its client and + server variants, SSLv2 ciphers vulnerable to exhaustive search key + recovery have been removed. Specifically, the SSLv2 40-bit EXPORT + ciphers, and SSLv2 56-bit DES are no longer available. + [Viktor Dukhovni] + + Changes between 1.0.2c and 1.0.2d [9 Jul 2015] *) Alternate chains certificate forgery Index: openssl-1.0.2d/NEWS =================================================================== --- openssl-1.0.2d.orig/NEWS +++ openssl-1.0.2d/NEWS @@ -1,6 +1,7 @@ NEWS ==== + Disable SSLv2 default build, default negotiation and weak ciphers. This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file.