Legacy renegotiation in 0.9.8m and "notlsext"

Victor Duchovni
Thu, 04 Feb 2010 12:18:35 -0800
It was not clear to me whether the new code in 0.9.8 to support
secure renegotiation requires "tlsext" support, or is still
enabled even with OpenSSL 0.9.8m Configured with "notlsext"
(I can't deploy a "tlsext" build of 0.9.8m, because this breaks
binary compatibility of shared libraries with previous 0.9.8
releases).

It appears that the secure renegotiation code is still present in a
"notlsext" configuration, and does not break binary compatibility.
If someone could confirm this "officially", that would be great.

In looking at the code, I found a surprising assymetry between the
s_client and s_server changes for 0.9.8m. The s_client code supports
the "-legacy_renegotiation" flag with "notlsext", but the "s_server"
code does not. I am guessing this is unintentional:

--- apps/s_client.c     2010-02-04 12:37:56.126584525 -0500
+++ apps/s_client.c     2009-12-16 15:34:19.907161627 -0500
@@ -238,2 +245,8 @@
        BIO_printf(bio_err," -sess_in arg  - file to read SSL session from\n");
+#ifndef OPENSSL_NO_TLSEXT
+       BIO_printf(bio_err," -servername host  - Set TLS extension servername 
in ClientHello\n");
+       BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions 
received\n");
+       BIO_printf(bio_err," -status           - request certificate status 
from server\n");
+       BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis 
session tickets\n");
+#endif
        BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy 
renegotiation (dangerous)\n");

--- apps/s_server.c     2010-02-04 12:37:56.135583361 -0500
+++ apps/s_server.c     2009-12-08 08:47:27.109842042 -0500
@@ -378,2 +397,13 @@
        BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, 
LIST_SEPARATOR_CHAR);
+#ifndef OPENSSL_NO_TLSEXT
+       BIO_printf(bio_err," -servername host - servername for HostName TLS 
extension\n");
+       BIO_printf(bio_err," -servername_fatal - on mismatch send fatal alert 
(default warning alert)\n");
+       BIO_printf(bio_err," -cert2 arg    - certificate file to use for 
servername\n");
+       BIO_printf(bio_err,"                 (default is %s)\n",TEST_CERT2);
+       BIO_printf(bio_err," -key2 arg     - Private Key file to use for 
servername, in cert file if\n");
+       BIO_printf(bio_err,"                 not specified (default is 
%s)\n",TEST_CERT2);
+       BIO_printf(bio_err," -tlsextdebug  - hex dump of all TLS extensions 
received\n");
+       BIO_printf(bio_err," -no_ticket    - disable use of RFC4507bis session 
tickets\n");
+       BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy 
renegotiation (dangerous)\n");
+#endif
        }

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
Reply via email to