diff options
| author |   tedu <tedu@openbsd.org> | 2014-10-15 21:02:39 +0000 |
|---|---|---|
| committer | tedu <tedu@openbsd.org> | 2014-10-15 21:02:39 +0000 |
| commit | ab0eb4f046ac3ac986754a12edb26ea62bf980f2 (patch) | |
| tree | f30d90047d35f8841b978d2b413a552cb7abd42d | |
| parent | basic formatting fixes; (diff) | |
| download | wireguard-openbsd-ab0eb4f046ac3ac986754a12edb26ea62bf980f2.tar.xz wireguard-openbsd-ab0eb4f046ac3ac986754a12edb26ea62bf980f2.zip | |
Fuck it. No SSLv3; not now, not ever. The API of the future will only
support the protocols of the future.
(Perhaps a bit late in burning this bridge entirely, but there's no time
like the present, esp. with other players now leaning against back compat.)
| -rw-r--r-- | lib/libressl/ressl.c | 6 | ||||
| -rw-r--r-- | lib/libressl/ressl.h | 3 | ||||
| -rw-r--r-- | lib/libressl/ressl_init.3 | 3 |
3 files changed, 4 insertions, 8 deletions
diff --git a/lib/libressl/ressl.c b/lib/libressl/ressl.c index b500c830639..06c7d54cc28 100644 --- a/lib/libressl/ressl.c +++ b/lib/libressl/ressl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl.c,v 1.17 2014/10/15 14:11:47 jsing Exp $ */ +/* $OpenBSD: ressl.c,v 1.18 2014/10/15 21:02:39 tedu Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -172,14 +172,12 @@ int ressl_configure_ssl(struct ressl *ctx) { SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2); + SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3); - SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3); SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1); SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1); SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2); - if ((ctx->config->protocols & RESSL_PROTOCOL_SSLv3) == 0) - SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3); if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_0) == 0) SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1); if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_1) == 0) diff --git a/lib/libressl/ressl.h b/lib/libressl/ressl.h index 8fa27880770..4ca2507f5a2 100644 --- a/lib/libressl/ressl.h +++ b/lib/libressl/ressl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl.h,v 1.20 2014/10/14 22:05:28 tedu Exp $ */ +/* $OpenBSD: ressl.h,v 1.21 2014/10/15 21:02:39 tedu Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -20,7 +20,6 @@ #define RESSL_API 20141008 -#define RESSL_PROTOCOL_SSLv3 (1 << 0) #define RESSL_PROTOCOL_TLSv1_0 (1 << 1) #define RESSL_PROTOCOL_TLSv1_1 (1 << 2) #define RESSL_PROTOCOL_TLSv1_2 (1 << 3) diff --git a/lib/libressl/ressl_init.3 b/lib/libressl/ressl_init.3 index 90a35fba7d2..1ba6b460b59 100644 --- a/lib/libressl/ressl_init.3 +++ b/lib/libressl/ressl_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ressl_init.3,v 1.7 2014/10/15 19:57:43 jmc Exp $ +.\" $OpenBSD: ressl_init.3,v 1.8 2014/10/15 21:02:39 tedu Exp $ .\" .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> .\" @@ -217,7 +217,6 @@ sets which versions of the protocol may be used. Possible values are the bitwise OR of: .Pp .Bl -tag -width "RESSL_PROTOCOL_TLSv1_2" -offset indent -compact -.It Dv RESSL_PROTOCOL_SSLv3 .It Dv RESSL_PROTOCOL_TLSv1_0 .It Dv RESSL_PROTOCOL_TLSv1_1 .It Dv RESSL_PROTOCOL_TLSv1_2 |