SSL_CTX_set_options()是OpenSSL民间使用编译时OPENSSL_NO_HEARTBEATS禁用TLSv1心跳的原因吗? [英] Is SSL_CTX_set_options() the reason why OpenSSL folk used a compile time OPENSSL_NO_HEARTBEATS to disable TLSv1 Heartbeats?
问题描述
在得知使用-DOPENSSL_NO_HEARTBEATS重新编译将禁用OpenSSL 1.0.1e中的TLSv1心跳后不久,我想知道为什么它不是运行时选项,而是像SSL_OP_NO_TLS_HEARTBEATS之类的东西.
Soon after learning that recompiling with -DOPENSSL_NO_HEARTBEATS will disable TLSv1 Heartbeats in OpenSSL 1.0.1e, I wondered why it was not a run-time option instead, maybe called something like SSL_OP_NO_TLS_HEARTBEATS.
因此,我研究了SSL.H,发现选项"是一个无符号的长位掩码,根据编译平台/模式的不同,它可能是32位或64位,但是似乎OpenSSL代码假定是32位,并且-更重要的是-这意味着它只有32个可能的选项,似乎已经用尽,除了位0x00000400L以外,我都是从SSL.H复制它们的.
Therefore I looked into SSL.H and discovered that 'options' is an unsigned long bitmask, which would be 32 or 64 bits depending on the compiling platform/mode, but it seemed that the OpenSSL code assumes is 32 bits, and -more importantly- it means it only has 32 possible options, which seems to have been exhausted already, all except the bit 0x00000400L, I copied them from SSL.H:
/* Option bits for SSL_CTX_set_options() */
#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L
#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
#define SSL_OP_TLS_D5_BUG 0x00000100L
#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
/***** 0x00000400L SEEMS TO BE THE ONLY OPTION BIT FREE *****/
#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L
#define SSL_OP_NO_QUERY_MTU 0x00001000L
#define SSL_OP_COOKIE_EXCHANGE 0x00002000L
#define SSL_OP_NO_TICKET 0x00004000L
#define SSL_OP_CISCO_ANYCONNECT 0x00008000L
#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
#define SSL_OP_NO_COMPRESSION 0x00020000L
#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
#define SSL_OP_SINGLE_ECDH_USE 0x00080000L
#define SSL_OP_SINGLE_DH_USE 0x00100000L
#define SSL_OP_EPHEMERAL_RSA 0x00200000L
#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
#define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L
#define SSL_OP_NO_SSLv2 0x01000000L
#define SSL_OP_NO_SSLv3 0x02000000L
#define SSL_OP_NO_TLSv1 0x04000000L
#define SSL_OP_NO_TLSv1_2 0x08000000L
#define SSL_OP_NO_TLSv1_1 0x10000000L
#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L
#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
#define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0x80000000L
您认为这是他们决定-DOPENSSL_NO_HEARTBEATS而不是SSL_OP_NO_TLS_HEARTBEATS的原因吗?如果是这样,为什么他们不对SSL_OP_NO_TLS_HEARTBEATS使用0x00000400L?我想知道你对此的看法.实际上,无论该调查的输出是什么,似乎OpenSSL都需要修复其选件系统,因为它似乎已经筋疲力尽.请让我知道我是否也在那里.
Do you think is this the reason why they decided to do -DOPENSSL_NO_HEARTBEATS instead SSL_OP_NO_TLS_HEARTBEATS ? If so, why didn't they use 0x00000400L for SSL_OP_NO_TLS_HEARTBEATS ? I would like to know your opinion on this. Actually, whatever is the output on this survey, it seems that OpenSSL needs to fix their option system, as it seems already exhausted. Please let me know if I am worng there too.
推荐答案
您明白了:[选项系统]似乎已经筋疲力尽.
You got it: as [the option system] seems already exhausted.
最后分配的选项是针对Apple的SecureTransport ECDSA错误(SSL_OP_SAFARI_ECDHE_ECDSA_BUG).这是以前使用的值.您可以在以下位置阅读有关讨论的内容(以及值的重用):
The last assigned option was for Apple's SecureTransport ECDSA bug (SSL_OP_SAFARI_ECDHE_ECDSA_BUG). It was a previously used value. You can read about the discussion (and the value reuse) at:
- Apple are, apparently, dicks...
- [PATCH] Safari broken ECDHE-ECDSA workaround
如果是,为什么他们不将0x00000400L用于SSL_OP_NO_TLS_HEARTBEATS
If so, why didn't they use 0x00000400L for SSL_OP_NO_TLS_HEARTBEATS
我相信SSL_OP_SAFARI_ECDHE_ECDSA_BUG使用它.来自 [PATCH ] Safari损坏了ECDHE-ECDSA解决方法:
+#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000400L
我想知道你对此的看法.
I would like to know your opinion on this.
我不相信它的意见;)
这篇关于SSL_CTX_set_options()是OpenSSL民间使用编译时OPENSSL_NO_HEARTBEATS禁用TLSv1心跳的原因吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
