The first chunk in the s3_lib.c patch doesn't apply. But the second
chunk does (shown below). When applying this to 1.0.1 stable, it
appears to resolve the problem.
@@ -4357,8 +4359,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s,
STACK_OF(SSL_CIPHER) *clnt,
emask_k = cert->export_mask_k;
emask_a = cert->export_mask_a;
#ifndef OPENSSL_NO_SRP
- mask_k=cert->mask_k | s->srp_ctx.srp_Mask;
- emask_k=cert->export_mask_k | s->srp_ctx.srp_Mask;
+ if (s->srp_ctx.srp_Mask & SSL_kSRP)
+ {
+ mask_k |= SSL_kSRP;
+ emask_k |= SSL_kSRP;
+ mask_a |= SSL_aSRP;
+ emask_a |= SSL_aSRP;
+ }
#endif
#ifdef KSSL_DEBUG
On 08/12/2014 01:43 PM, Kurt Roeckx via RT wrote:
> On Tue, Aug 12, 2014 at 01:26:30AM +0200, John Foley via RT wrote:
>> The commit into 1.0.1 didn't include the changes to s3_lib.c. SRP is still
>> broken on this branch. Are there any plans to fix this?
> Can you confirm that that commit from master fixes things for you?
>
>>> On Aug 11, 2014, at 6:41 PM, "Kurt Roeckx via RT" <[email protected]> wrote:
>>>
>>>> On Mon, Aug 11, 2014 at 11:09:51PM +0200, John Foley via RT wrote:
>>>> The fix discussed in this thread appears to be incomplete:
>>>>
>>>> http://marc.info/?l=openssl-users&m=140752401023837&w=2
>>>>
>>>> This fix works for SRP cipher suites that uses RSA for DSA, which
>>>> includes 6 of the 9 supported SRP cipher suites. But the three SRP
>>>> cipher suites that don't rely on a server-side certificate are still
>>>> broken. This problem can be recreated using these commands:
>>> I believe this is already in master in commit
>>> 9e72d496d4f9880ec98f0ed9168246e35c1c3059
>>>
>>>
>>> Kurt
>>>
>>>
>>
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> Development Mailing List [email protected]
>> Automated List Manager [email protected]
>>
>
> .
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
