[openssl.org #2174] SSL_CTX_new SSL_OP_LEGACY_SERVER_CONNECT may clear previously set option

Tomas Hoger via RT Wed, 17 Feb 2010 10:08:12 -0800

Hi!

SSL_CTX_new currently contains:


    /* Setup RFC4507 ticket keys */
    if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0)
        || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0)
        || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0))
        ret->options |= SSL_OP_NO_TICKET;

followed by:

    /* Default is to connect to non-RI servers. When RI is more widely
     * deployed might change this.
     */
    ret->options = SSL_OP_LEGACY_SERVER_CONNECT;

So even if SSL_OP_NO_TICKET is set, it should be unset again due to a
SSL_OP_LEGACY_SERVER_CONNECT default.

Will SSL_OP_LEGACY_SERVER_CONNECT remain part of SSL_OP_ALL once
SSL_OP_LEGACY_SERVER_CONNECT is no longer default?

-- 
Tomas Hoger

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

[openssl.org #2174] SSL_CTX_new SSL_OP_LEGACY_SERVER_CONNECT may clear previously set option

Reply via email to