[botan-devel] Removing SSLv3 and SSLv2 client hello handling

Uri Blumenthal uri at mit.edu
Sun Dec 28 13:17:36 EST 2014


These are the patches I found necessary to correctly run Botan-1.11.11:

$ cat ~/b11.txt
*** src/lib/cert/x509/x509cert.cpp.~1~	2014-12-21 20:47:07.000000000 -0500
--- src/lib/cert/x509/x509cert.cpp	2014-12-27 21:52:50.000000000 -0500
***************
*** 95,102 ****
--- 95,105 ----

     if(version > 2)
        throw Decoding_Error("Unknown X.509 cert version " + std::to_string(version));
+
+ #if 0
     if(sig_algo != sig_algo_inner)
        throw Decoding_Error("Algorithm identifier mismatch");
+ #endif

     self_signed = (dn_subject == dn_issuer);

*** src/lib/cert/x509/x509_crl.cpp.~1~	2014-12-21 20:47:07.000000000 -0500
--- src/lib/cert/x509/x509_crl.cpp	2014-12-27 21:57:34.000000000 -0500
***************
*** 93,100 ****
--- 93,102 ----
     AlgorithmIdentifier sig_algo_inner;
     tbs_crl.decode(sig_algo_inner);

+ #if 0
     if(sig_algo != sig_algo_inner)
        throw X509_CRL_Error("Algorithm identifier mismatch");
+ #endif

     X509_DN dn_issuer;
     tbs_crl.decode(dn_issuer);
*** src/cmd/x509print.cpp.~1~	2014-12-21 20:47:07.000000000 -0500
--- src/cmd/x509print.cpp	2014-12-27 21:48:59.000000000 -0500
***************
*** 6,12 ****

  int x509print(int argc, char* argv[])
     {
!    if(argc < 1)
        {
        std::cout << "Usage: " << argv[0] << " cert.pem\n";
        return 1;
--- 6,12 ----

  int x509print(int argc, char* argv[])
     {
!    if(argc <= 1)
        {
        std::cout << "Usage: " << argv[0] << " cert.pem\n";
        return 1;



On Dec 28, 2014, at 12:13 , Jack Lloyd <lloyd at randombit.net> wrote:

> 
> As part of removing SSLv3 support in a future release (as mentioned in
> the 1.11.11 announcement note, copied below), I'm planning on also
> removing support for processing SSLv2-mapped TLS client hellos.  This
> has no affect on clients, or on servers which only talk to botan TLS
> clients, but may affect servers with clients running old or
> misconfigured versions of openssl and company which sometimes send
> SSLv2 hellos.
> 
> As with the SSLv3 removal if this change to client hellos breaks your
> application now is a good time to mention it, as once the code is
> removed it will not be back. :)
> 
> Cheers,
>  Jack
> 
> On Tue, Dec 23, 2014 at 08:41:43AM -0500, Jack Lloyd wrote:
> 
>> One additional important note is that as of 1.11.11, SSLv3 support in the TLS
>> stack is officially deprecated (in addition to being disabled by default, as
>> it has since 1.11.6). I'm planning on removing SSLv3 support entirely in Q1 of
>> 2015 for both 1.11 and 1.10 branches. If this raises horrible show stopper
>> issues for you now is your time to yell.
>> 
> _______________________________________________
> botan-devel mailing list
> botan-devel at randombit.net
> http://lists.randombit.net/mailman/listinfo/botan-devel

--
Uri Blumenthal
uri at mit.edu

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1842 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20141228/f8ec09c9/attachment-0001.p7s>


More information about the botan-devel mailing list