really drop SSLv2

Kees Cook kees at ubuntu.com
Mon Jul 19 22:12:15 BST 2010 

In 2008 there was discussion[1] about disabling SSLv2 in OpenSSL. The
conclusion seemed favorable for it, and so it was attempted[2] in openssl
0.9.8g-10.1ubuntu2 for Intrepid.

Unfortunately, this change seems to have had no affect on the build, and
SSLv2 has remained available. I would like to propose fixing this for real
now, and documenting the change in the SSL man pages.

I'd like to point out that even as far back as Dapper, GnuTLS has not
supported SSLv2; IMO, it is high time to make it go away for OpenSSL too.

The attached debdiff would disallow the use of SSLv2 in any mode without
wrecking the openssl library ABI.

Thoughts?

-Kees

[1] https://lists.ubuntu.com/archives/ubuntu-server/2008-July/001976.html
[2] http://launchpadlibrarian.net/16310227/openssl_0.9.8g-10.1ubuntu1_0.9.8g-10.1ubuntu2.diff.gz

-- 
Kees Cook
Ubuntu Security Team
-------------- next part --------------
diff -Nru openssl-0.9.8o/debian/changelog openssl-0.9.8o/debian/changelog
--- openssl-0.9.8o/debian/changelog	2010-07-19 16:45:38.000000000 +0200
+++ openssl-0.9.8o/debian/changelog	2010-07-19 22:10:18.000000000 +0200
@@ -1,3 +1,10 @@
+openssl (0.9.8o-1ubuntu3) maverick; urgency=low
+
+  * debian/patches/no-sslv2.patch: disallow use of sslv2 init methods,
+    force no-ssl2 context option.
+
+ -- Kees Cook <kees at spriggan.outflux.net>  Mon, 19 Jul 2010 22:04:26 +0200
+
 openssl (0.9.8o-1ubuntu2) maverick; urgency=low
 
   * Don't build anymore for processors not supported anymore in maverick:
diff -Nru openssl-0.9.8o/debian/patches/no-sslv2.patch openssl-0.9.8o/debian/patches/no-sslv2.patch
--- openssl-0.9.8o/debian/patches/no-sslv2.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssl-0.9.8o/debian/patches/no-sslv2.patch	2010-07-19 22:40:36.000000000 +0200
@@ -0,0 +1,125 @@
+Description: disallow SSLv2 initialization, force it disabled for other methods.
+Author: Kees Cook <kees at ubuntu.com>
+
+Index: openssl-0.9.8o/ssl/ssl_lib.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/ssl_lib.c	2010-02-17 20:43:08.000000000 +0100
++++ openssl-0.9.8o/ssl/ssl_lib.c	2010-07-19 22:10:51.885282388 +0200
+@@ -986,8 +986,10 @@
+ 		return 1;
+ 
+ 	case SSL_CTRL_OPTIONS:
++		larg|=SSL_OP_NO_SSLv2;
+ 		return(s->options|=larg);
+ 	case SSL_CTRL_CLEAR_OPTIONS:
++		larg&=~SSL_OP_NO_SSLv2;
+ 		return(s->options&=~larg);
+ 	case SSL_CTRL_MODE:
+ 		return(s->mode|=larg);
+@@ -1096,8 +1098,10 @@
+ 	case SSL_CTRL_SESS_CACHE_FULL:
+ 		return(ctx->stats.sess_cache_full);
+ 	case SSL_CTRL_OPTIONS:
++		larg|=SSL_OP_NO_SSLv2;
+ 		return(ctx->options|=larg);
+ 	case SSL_CTRL_CLEAR_OPTIONS:
++		larg&=~SSL_OP_NO_SSLv2;
+ 		return(ctx->options&=~larg);
+ 	case SSL_CTRL_MODE:
+ 		return(ctx->mode|=larg);
+@@ -1444,7 +1448,7 @@
+ 	{
+ 	SSL_CTX *ret=NULL;
+ 	
+-	if (meth == NULL)
++	if (meth == NULL || meth->version <= SSL2_VERSION)
+ 		{
+ 		SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED);
+ 		return(NULL);
+@@ -1603,6 +1607,9 @@
+ 	 */
+ 	ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
+ 
++	/* Force no SSLv2 for all methods */
++	ret->options |= SSL_OP_NO_SSLv2;
++
+ 	return(ret);
+ err:
+ 	SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
+Index: openssl-0.9.8o/test/testssl
+===================================================================
+--- openssl-0.9.8o.orig/test/testssl	2005-02-02 00:48:36.000000000 +0100
++++ openssl-0.9.8o/test/testssl	2010-07-19 22:10:51.885282388 +0200
+@@ -33,17 +33,17 @@
+ #############################################################################
+ 
+ echo test sslv2
+-$ssltest -ssl2 $extra || exit 1
++$ssltest -ssl2 $extra && exit 1
+ 
+ echo test sslv2 with server authentication
+-$ssltest -ssl2 -server_auth $CA $extra || exit 1
++$ssltest -ssl2 -server_auth $CA $extra && exit 1
+ 
+ if [ $dsa_cert = NO ]; then
+   echo test sslv2 with client authentication
+-  $ssltest -ssl2 -client_auth $CA $extra || exit 1
++  $ssltest -ssl2 -client_auth $CA $extra && exit 1
+ 
+   echo test sslv2 with both client and server authentication
+-  $ssltest -ssl2 -server_auth -client_auth $CA $extra || exit 1
++  $ssltest -ssl2 -server_auth -client_auth $CA $extra && exit 1
+ fi
+ 
+ echo test sslv3
+@@ -71,17 +71,17 @@
+ $ssltest -server_auth -client_auth $CA $extra || exit 1
+ 
+ echo test sslv2 via BIO pair
+-$ssltest -bio_pair -ssl2 $extra || exit 1
++$ssltest -bio_pair -ssl2 $extra && exit 1
+ 
+ echo test sslv2 with server authentication via BIO pair
+-$ssltest -bio_pair -ssl2 -server_auth $CA $extra || exit 1
++$ssltest -bio_pair -ssl2 -server_auth $CA $extra && exit 1
+ 
+ if [ $dsa_cert = NO ]; then
+   echo test sslv2 with client authentication via BIO pair
+-  $ssltest -bio_pair -ssl2 -client_auth $CA $extra || exit 1
++  $ssltest -bio_pair -ssl2 -client_auth $CA $extra && exit 1
+ 
+   echo test sslv2 with both client and server authentication via BIO pair
+-  $ssltest -bio_pair -ssl2 -server_auth -client_auth $CA $extra || exit 1
++  $ssltest -bio_pair -ssl2 -server_auth -client_auth $CA $extra && exit 1
+ fi
+ 
+ echo test sslv3 via BIO pair
+Index: openssl-0.9.8o/doc/ssl/SSL_CTX_new.pod
+===================================================================
+--- openssl-0.9.8o.orig/doc/ssl/SSL_CTX_new.pod	2010-07-19 22:35:59.305282967 +0200
++++ openssl-0.9.8o/doc/ssl/SSL_CTX_new.pod	2010-07-19 22:39:09.324088083 +0200
+@@ -30,6 +30,10 @@
+ and will also indicate that it only understand SSLv2. A server will only
+ understand SSLv2 client hello messages.
+ 
++Note: in Ubuntu 10.10 and later this method cannot be used. The SSLv2
++protocol is considered unsafe, and all attempts to use it will result
++in the error "null ssl method passed".
++
+ =item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)
+ 
+ A TLS/SSL connection established with these methods will only understand the
+Index: openssl-0.9.8o/doc/ssl/SSL_CTX_set_options.pod
+===================================================================
+--- openssl-0.9.8o.orig/doc/ssl/SSL_CTX_set_options.pod	2010-07-19 22:39:31.044042368 +0200
++++ openssl-0.9.8o/doc/ssl/SSL_CTX_set_options.pod	2010-07-19 22:40:34.534120783 +0200
+@@ -202,6 +202,9 @@
+ 
+ Do not use the SSLv2 protocol.
+ 
++Note: in Ubuntu 10.10 and later, this option is always set and cannot be
++disabled.  SSLv2 is never available.
++
+ =item SSL_OP_NO_SSLv3
+ 
+ Do not use the SSLv3 protocol.
diff -Nru openssl-0.9.8o/debian/patches/series openssl-0.9.8o/debian/patches/series
--- openssl-0.9.8o/debian/patches/series	2010-06-14 17:04:09.000000000 +0200
+++ openssl-0.9.8o/debian/patches/series	2010-07-19 22:10:48.000000000 +0200
@@ -21,3 +21,4 @@
 aesni.patch
 perlpath-quilt.patch
 Bsymbolic-functions.patch
+no-sslv2.patch
diff -Nru openssl-0.9.8o/debian/rules openssl-0.9.8o/debian/rules
--- openssl-0.9.8o/debian/rules	2010-07-19 16:44:00.000000000 +0200
+++ openssl-0.9.8o/debian/rules	2010-07-19 22:44:41.000000000 +0200
@@ -71,9 +71,11 @@
 clean:
 	dh_testdir
 	dh_testroot
+	dh_clean
 	-rm -f build
 	-./Configure $(CONFARGS) debian-$(DEB_HOST_ARCH)
 	[ ! -f Makefile ] || make -f Makefile  clean clean-shared
+	[ ! -f test/Makefile ] || make -C test clean
 	#-make -f Makefile  dclean
 #	perl util/ssldir.pl /usr/local/ssl
 	-rm -f test/.rnd test/testkey.pem test/testreq.pem test/certCA.srl
@@ -88,7 +90,6 @@
 	-rm -f libcrypto.* libssl.*
 	-cd test && rm -f .rnd tmp.bntest tmp.bctest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff bntest ectest  ecdsatest ecdhtest ideatest md2test  md4test md5test hmactest rc2test rc4test rc5test destest shatest sha1test sha256t sha512t mdc2test rmdtest randtest dhtest enginetest bftest casttest ssltest exptest dsatest rsa_test evp_test *.ss *.srl log dummytest newkey.pem igetest
 	-rm Makefile apps/CA.pl tools/c_rehash crypto/opensslconf.h crypto/x86_64cpuid.S
-	dh_clean
 
 binary-indep:	build
 	dh_testdir

More information about the ubuntu-devel mailing list