Skip to content

Commit

Permalink
Remove support for SSL_OP_NETSCAPE_CA_DN_BUG.
Browse files Browse the repository at this point in the history
This is an ancient bug workaround for Netscape clients. The documentation
talks about versions 3.x and 4.x beta.

Reviewed-by: Tim Hudson <tjh@openssl.org>
  • Loading branch information
mattcaswell committed Feb 6, 2015
1 parent ae63297 commit 3c33c6f
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 35 deletions.
5 changes: 0 additions & 5 deletions doc/ssl/SSL_CTX_set_options.pod
Original file line number Diff line number Diff line change
Expand Up @@ -169,11 +169,6 @@ will send its list of preferences to the client and the client chooses.

...

=item SSL_OP_NETSCAPE_CA_DN_BUG

If we accept a netscape connection, demand a client cert, have a
non-self-signed CA which does not have its CA in netscape, and the
browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta

=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG

Expand Down
18 changes: 3 additions & 15 deletions ssl/s3_clnt.c
Original file line number Diff line number Diff line change
Expand Up @@ -2109,8 +2109,6 @@ int ssl3_get_certificate_request(SSL *s)
for (nc = 0; nc < llen;) {
n2s(p, l);
if ((l + nc + 2) > llen) {
if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
goto cont; /* netscape bugs */
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
goto err;
Expand All @@ -2119,14 +2117,9 @@ int ssl3_get_certificate_request(SSL *s)
q = p;

if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) {
/* If netscape tolerance is on, ignore errors */
if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
goto cont;
else {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
goto err;
}
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
goto err;
}

if (q != (p + l)) {
Expand All @@ -2144,11 +2137,6 @@ int ssl3_get_certificate_request(SSL *s)
nc += l + 2;
}

if (0) {
cont:
ERR_clear_error();
}

/* we should setup a certificate to return.... */
s->s3->tmp.cert_req = 1;
s->s3->tmp.ctype_num = ctype_num;
Expand Down
18 changes: 4 additions & 14 deletions ssl/s3_srvr.c
Original file line number Diff line number Diff line change
Expand Up @@ -2056,20 +2056,10 @@ int ssl3_send_certificate_request(SSL *s)
goto err;
}
p = ssl_handshake_start(s) + n;
if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) {
s2n(j, p);
i2d_X509_NAME(name, &p);
n += 2 + j;
nl += 2 + j;
} else {
d = p;
i2d_X509_NAME(name, &p);
j -= 2;
s2n(j, d);
j += 2;
n += j;
nl += j;
}
s2n(j, p);
i2d_X509_NAME(name, &p);
n += 2 + j;
nl += 2 + j;
}
}
/* else no CA names */
Expand Down
3 changes: 2 additions & 1 deletion ssl/ssl.h
Original file line number Diff line number Diff line change
Expand Up @@ -478,7 +478,8 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,
# define SSL_OP_PKCS1_CHECK_1 0x0
# define SSL_OP_PKCS1_CHECK_2 0x0

# define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L
/* Removed as of OpenSSL 1.1.0 */
# define SSL_OP_NETSCAPE_CA_DN_BUG 0x0
# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
/*
* Make server add server-hello extension from early version of cryptopro
Expand Down

0 comments on commit 3c33c6f

Please sign in to comment.