diff --git a/CHANGES.md b/CHANGES.md index 7b6c7c5ffb..6e89f9814c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -82,6 +82,14 @@ OpenSSL 3.0 *Boris Pismenny, John Baldwin and Andrew Gallatin* + * Support for RFC 5746 secure renegotiation is now required by default for + SSL or TLS connections to succeed. Applications that require the ability + to connect to legacy peers will need to explicitly set + SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT + is no longer set as part of SSL_OP_ALL. + + *Benjamin Kaduk* + * The signature of the `copy` functional parameter of the EVP_PKEY_meth_set_copy() function has changed so its `src` argument is now `const EVP_PKEY_CTX *` instead of `EVP_PKEY_CTX *`. Similarly diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index 125164e4c8..8da8f7f060 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -76,7 +76,6 @@ set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers. permits or prohibits the use of unsafe legacy renegotiation for OpenSSL clients only. Equivalent to setting or clearing B. -Set by default. =item B<-prioritize_chacha> diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod index 1bc5894127..e84aaac8a8 100644 --- a/doc/man3/SSL_CTX_set_options.pod +++ b/doc/man3/SSL_CTX_set_options.pod @@ -88,8 +88,7 @@ implementations. =item SSL_OP_ALL -All of the above bug workarounds plus B as -mentioned below. +All of the above bug workarounds. =back @@ -193,8 +192,7 @@ servers. See the B section for more details. =item SSL_OP_LEGACY_SERVER_CONNECT Allow legacy insecure renegotiation between OpenSSL and unpatched servers -B: this option is currently set by default. See the -B section for more details. +B. See the B section for more details. =item SSL_OP_NO_ENCRYPT_THEN_MAC @@ -378,15 +376,10 @@ and renegotiation between patched OpenSSL clients and unpatched servers succeeds. If neither option is set then initial connections to unpatched servers will fail. -The option B is currently set by default even -though it has security implications: otherwise it would be impossible to -connect to unpatched servers (i.e. all of them initially) and this is clearly -not acceptable. Renegotiation is permitted because this does not add any -additional security issues: during an attack clients do not see any -renegotiations anyway. - -As more servers become patched the option B will -B be set by default in a future version of OpenSSL. +Setting the option B has security implications; +clients that are willing to connect to servers that do not implement +RFC 5746 secure renegotiation are subject to attacks such as +CVE-2009-3555. OpenSSL client applications wishing to ensure they can connect to unpatched servers should always B B diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index d607d8d02f..d03fff6be5 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -425,7 +425,6 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); */ # define SSL_OP_ALL (SSL_OP_CRYPTOPRO_TLSEXT_BUG|\ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS|\ - SSL_OP_LEGACY_SERVER_CONNECT|\ SSL_OP_TLSEXT_PADDING|\ SSL_OP_SAFARI_ECDHE_ECDSA_BUG) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 27a5ec4581..c9b49279c5 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3310,11 +3310,6 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, } # endif #endif - /* - * Default is to connect to non-RI servers. When RI is more widely - * deployed might change this. - */ - ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; /* * Disable compression by default to prevent CRIME. Applications can * re-enable compression by configuring