summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorwtc%google.com <devnull@localhost>2011-10-06 22:42:34 +0000
committerwtc%google.com <devnull@localhost>2011-10-06 22:42:34 +0000
commita21af6307eab99cee4e9fd3dcca0b2b74ddf411e (patch)
tree9270e4cc7596be4889919268a2d2b5715b77357a
parent3ba8105a36f5c8500a3aaa8c520549f686562018 (diff)
downloadnss-hg-a21af6307eab99cee4e9fd3dcca0b2b74ddf411e.tar.gz
Bug 593080: change the default of the SSL_ENABLE_SSL2 andNSS_3_13_RTMNSS_3_13_RC0
SSL_V2_COMPATIBLE_HELLO options to PR_FALSE. r=rrelyea. Modified Files: cmd/strsclnt/strsclnt.c cmd/tstclnt/tstclnt.c lib/ssl/ssl.h lib/ssl/sslsock.c
Diffstat
-rw-r--r--security/nss/cmd/strsclnt/strsclnt.c6
-rw-r--r--security/nss/cmd/tstclnt/tstclnt.c3
-rw-r--r--security/nss/lib/ssl/ssl.h4
-rw-r--r--security/nss/lib/ssl/sslsock.c4
4 files changed, 10 insertions, 7 deletions
diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c
index b54d2e255..df105ff9a 100644
--- a/security/nss/cmd/strsclnt/strsclnt.c
+++ b/security/nss/cmd/strsclnt/strsclnt.c
@@ -1190,7 +1190,11 @@ client_main(
errExit("SSL_OptionSet SSL_SECURITY");
}
- /* disabling SSL2 compatible hellos also disables SSL2 */
+ rv = SSL_OptionSet(model_sock, SSL_ENABLE_SSL2, !disableSSL2);
+ if (rv != SECSuccess) {
+ errExit("error enabling SSLv2 ");
+ }
+
rv = SSL_OptionSet(model_sock, SSL_V2_COMPATIBLE_HELLO, !disableSSL2);
if (rv != SECSuccess) {
errExit("error enabling SSLv2 compatible hellos ");
diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c
index 55684e685..f9afc02fc 100644
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -833,10 +833,9 @@ int main(int argc, char **argv)
return 1;
}
- /* disable ssl2 and ssl2-compatible client hellos. */
rv = SSL_OptionSet(s, SSL_V2_COMPATIBLE_HELLO, !disableSSL2);
if (rv != SECSuccess) {
- SECU_PrintError(progName, "error disabling v2 compatibility");
+ SECU_PrintError(progName, "error enabling SSLv2 compatible hellos ");
return 1;
}
diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h
index 5ab9b5f23..fcb93a4fa 100644
--- a/security/nss/lib/ssl/ssl.h
+++ b/security/nss/lib/ssl/ssl.h
@@ -100,7 +100,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd);
/* (off by default) */
#define SSL_HANDSHAKE_AS_SERVER 6 /* force connect to hs as server */
/* (off by default) */
-#define SSL_ENABLE_SSL2 7 /* enable ssl v2 (on by default) */
+#define SSL_ENABLE_SSL2 7 /* enable ssl v2 (off by default) */
#define SSL_ENABLE_SSL3 8 /* enable ssl v3 (on by default) */
#define SSL_NO_CACHE 9 /* don't use the session cache */
/* (off by default) */
@@ -109,7 +109,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd);
#define SSL_ENABLE_FDX 11 /* permit simultaneous read/write */
/* (off by default) */
#define SSL_V2_COMPATIBLE_HELLO 12 /* send v3 client hello in v2 fmt */
- /* (on by default) */
+ /* (off by default) */
#define SSL_ENABLE_TLS 13 /* enable TLS (on by default) */
#define SSL_ROLLBACK_DETECTION 14 /* for compatibility, default: on */
#define SSL_NO_STEP_DOWN 15 /* Disable export cipher suites */
diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c
index a7e6bce8c..d5ec516ee 100644
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -170,12 +170,12 @@ static sslOptions ssl_defaults = {
2, /* requireCertificate */
PR_FALSE, /* handshakeAsClient */
PR_FALSE, /* handshakeAsServer */
- PR_TRUE, /* enableSSL2 */
+ PR_FALSE, /* enableSSL2 */ /* now defaults to off in NSS 3.13 */
PR_TRUE, /* enableSSL3 */
PR_TRUE, /* enableTLS */ /* now defaults to on in NSS 3.0 */
PR_FALSE, /* noCache */
PR_FALSE, /* fdx */
- PR_TRUE, /* v2CompatibleHello */
+ PR_FALSE, /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */
PR_TRUE, /* detectRollBack */
PR_FALSE, /* noStepDown */
PR_FALSE, /* bypassPKCS11 */
View Lorry Controller Status