The first chunk in the s3_lib.c patch doesn't apply. But the second chunk does (shown below). When applying this to 1.0.1 stable, it appears to resolve the problem.
@@ -4357,8 +4359,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, emask_k = cert->export_mask_k; emask_a = cert->export_mask_a; #ifndef OPENSSL_NO_SRP - mask_k=cert->mask_k | s->srp_ctx.srp_Mask; - emask_k=cert->export_mask_k | s->srp_ctx.srp_Mask; + if (s->srp_ctx.srp_Mask & SSL_kSRP) + { + mask_k |= SSL_kSRP; + emask_k |= SSL_kSRP; + mask_a |= SSL_aSRP; + emask_a |= SSL_aSRP; + } #endif #ifdef KSSL_DEBUG On 08/12/2014 01:43 PM, Kurt Roeckx via RT wrote: > On Tue, Aug 12, 2014 at 01:26:30AM +0200, John Foley via RT wrote: >> The commit into 1.0.1 didn't include the changes to s3_lib.c. SRP is still >> broken on this branch. Are there any plans to fix this? > Can you confirm that that commit from master fixes things for you? > >>> On Aug 11, 2014, at 6:41 PM, "Kurt Roeckx via RT" <r...@openssl.org> wrote: >>> >>>> On Mon, Aug 11, 2014 at 11:09:51PM +0200, John Foley via RT wrote: >>>> The fix discussed in this thread appears to be incomplete: >>>> >>>> http://marc.info/?l=openssl-users&m=140752401023837&w=2 >>>> >>>> This fix works for SRP cipher suites that uses RSA for DSA, which >>>> includes 6 of the 9 supported SRP cipher suites. But the three SRP >>>> cipher suites that don't rely on a server-side certificate are still >>>> broken. This problem can be recreated using these commands: >>> I believe this is already in master in commit >>> 9e72d496d4f9880ec98f0ed9168246e35c1c3059 >>> >>> >>> Kurt >>> >>> >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> Development Mailing List openssl-dev@openssl.org >> Automated List Manager majord...@openssl.org >> > > . > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org