diff options
author | wtc%google.com <devnull@localhost> | 2011-10-06 22:42:34 +0000 |
---|---|---|
committer | wtc%google.com <devnull@localhost> | 2011-10-06 22:42:34 +0000 |
commit | a21af6307eab99cee4e9fd3dcca0b2b74ddf411e (patch) | |
tree | 9270e4cc7596be4889919268a2d2b5715b77357a | |
parent | 3ba8105a36f5c8500a3aaa8c520549f686562018 (diff) | |
download | nss-hg-a21af6307eab99cee4e9fd3dcca0b2b74ddf411e.tar.gz |
Bug 593080: change the default of the SSL_ENABLE_SSL2 andNSS_3_13_RTMNSS_3_13_RC0
SSL_V2_COMPATIBLE_HELLO options to PR_FALSE. r=rrelyea.
Modified Files:
cmd/strsclnt/strsclnt.c cmd/tstclnt/tstclnt.c lib/ssl/ssl.h
lib/ssl/sslsock.c
-rw-r--r-- | security/nss/cmd/strsclnt/strsclnt.c | 6 | ||||
-rw-r--r-- | security/nss/cmd/tstclnt/tstclnt.c | 3 | ||||
-rw-r--r-- | security/nss/lib/ssl/ssl.h | 4 | ||||
-rw-r--r-- | security/nss/lib/ssl/sslsock.c | 4 |
4 files changed, 10 insertions, 7 deletions
diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c index b54d2e255..df105ff9a 100644 --- a/security/nss/cmd/strsclnt/strsclnt.c +++ b/security/nss/cmd/strsclnt/strsclnt.c @@ -1190,7 +1190,11 @@ client_main( errExit("SSL_OptionSet SSL_SECURITY"); } - /* disabling SSL2 compatible hellos also disables SSL2 */ + rv = SSL_OptionSet(model_sock, SSL_ENABLE_SSL2, !disableSSL2); + if (rv != SECSuccess) { + errExit("error enabling SSLv2 "); + } + rv = SSL_OptionSet(model_sock, SSL_V2_COMPATIBLE_HELLO, !disableSSL2); if (rv != SECSuccess) { errExit("error enabling SSLv2 compatible hellos "); diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c index 55684e685..f9afc02fc 100644 --- a/security/nss/cmd/tstclnt/tstclnt.c +++ b/security/nss/cmd/tstclnt/tstclnt.c @@ -833,10 +833,9 @@ int main(int argc, char **argv) return 1; } - /* disable ssl2 and ssl2-compatible client hellos. */ rv = SSL_OptionSet(s, SSL_V2_COMPATIBLE_HELLO, !disableSSL2); if (rv != SECSuccess) { - SECU_PrintError(progName, "error disabling v2 compatibility"); + SECU_PrintError(progName, "error enabling SSLv2 compatible hellos "); return 1; } diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h index 5ab9b5f23..fcb93a4fa 100644 --- a/security/nss/lib/ssl/ssl.h +++ b/security/nss/lib/ssl/ssl.h @@ -100,7 +100,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); /* (off by default) */ #define SSL_HANDSHAKE_AS_SERVER 6 /* force connect to hs as server */ /* (off by default) */ -#define SSL_ENABLE_SSL2 7 /* enable ssl v2 (on by default) */ +#define SSL_ENABLE_SSL2 7 /* enable ssl v2 (off by default) */ #define SSL_ENABLE_SSL3 8 /* enable ssl v3 (on by default) */ #define SSL_NO_CACHE 9 /* don't use the session cache */ /* (off by default) */ @@ -109,7 +109,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); #define SSL_ENABLE_FDX 11 /* permit simultaneous read/write */ /* (off by default) */ #define SSL_V2_COMPATIBLE_HELLO 12 /* send v3 client hello in v2 fmt */ - /* (on by default) */ + /* (off by default) */ #define SSL_ENABLE_TLS 13 /* enable TLS (on by default) */ #define SSL_ROLLBACK_DETECTION 14 /* for compatibility, default: on */ #define SSL_NO_STEP_DOWN 15 /* Disable export cipher suites */ diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c index a7e6bce8c..d5ec516ee 100644 --- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -170,12 +170,12 @@ static sslOptions ssl_defaults = { 2, /* requireCertificate */ PR_FALSE, /* handshakeAsClient */ PR_FALSE, /* handshakeAsServer */ - PR_TRUE, /* enableSSL2 */ + PR_FALSE, /* enableSSL2 */ /* now defaults to off in NSS 3.13 */ PR_TRUE, /* enableSSL3 */ PR_TRUE, /* enableTLS */ /* now defaults to on in NSS 3.0 */ PR_FALSE, /* noCache */ PR_FALSE, /* fdx */ - PR_TRUE, /* v2CompatibleHello */ + PR_FALSE, /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */ PR_TRUE, /* detectRollBack */ PR_FALSE, /* noStepDown */ PR_FALSE, /* bypassPKCS11 */ |