Permalink
Browse files

Fix CVE-2011-3389. Possible attack on CBC mode with TLS 1.0.

See http://www.openssl.org/~bodo/tls-cbc.txt

The biggest reason for this mode being in SSL_OP_ALL was older versions
of IE (2002) talking to servers using OpenSSL.

Can hopefully get this into 5.4.
  • Loading branch information...
1 parent 5d90aa1 commit 96aa2eb2340c1d4131fbcc508f734ec7c807ff25 Scott MacVicar committed Jan 20, 2012
Showing with 15 additions and 3 deletions.
  1. +10 −2 ext/ftp/ftp.c
  2. +5 −1 ext/openssl/xp_ssl.c
View
@@ -243,6 +243,7 @@ ftp_login(ftpbuf_t *ftp, const char *user, const char *pass TSRMLS_DC)
{
#if HAVE_OPENSSL_EXT
SSL_CTX *ctx = NULL;
+ long ssl_ctx_options = SSL_OP_ALL;
#endif
if (ftp == NULL) {
return 0;
@@ -279,7 +280,10 @@ ftp_login(ftpbuf_t *ftp, const char *user, const char *pass TSRMLS_DC)
return 0;
}
- SSL_CTX_set_options(ctx, SSL_OP_ALL);
+#if OPENSSL_VERSION_NUMBER >= 0x0090605fL
+ ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+#endif
+ SSL_CTX_set_options(ctx, ssl_ctx_options);
ftp->ssl_handle = SSL_new(ctx);
if (ftp->ssl_handle == NULL) {
@@ -1495,6 +1499,7 @@ data_accept(databuf_t *data, ftpbuf_t *ftp TSRMLS_DC)
#if HAVE_OPENSSL_EXT
SSL_CTX *ctx;
+ long ssl_ctx_options = SSL_OP_ALL;
#endif
if (data->fd != -1) {
@@ -1521,7 +1526,10 @@ data_accept(databuf_t *data, ftpbuf_t *ftp TSRMLS_DC)
return 0;
}
- SSL_CTX_set_options(ctx, SSL_OP_ALL);
+#if OPENSSL_VERSION_NUMBER >= 0x0090605fL
+ ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+#endif
+ SSL_CTX_set_options(ctx, ssl_ctx_options);
data->ssl_handle = SSL_new(ctx);
if (data->ssl_handle == NULL) {
View
@@ -310,6 +310,7 @@ static inline int php_openssl_setup_crypto(php_stream *stream,
TSRMLS_DC)
{
SSL_METHOD *method;
+ long ssl_ctx_options = SSL_OP_ALL;
if (sslsock->ssl_handle) {
if (sslsock->s.is_blocked) {
@@ -377,7 +378,10 @@ static inline int php_openssl_setup_crypto(php_stream *stream,
return -1;
}
- SSL_CTX_set_options(sslsock->ctx, SSL_OP_ALL);
+#if OPENSSL_VERSION_NUMBER >= 0x0090605fL
+ ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+#endif
+ SSL_CTX_set_options(sslsock->ctx, ssl_ctx_options);
#if OPENSSL_VERSION_NUMBER >= 0x0090806fL
{

0 comments on commit 96aa2eb

Please sign in to comment.