Expose all SSL_OP_* constants

Bug #1244201 reported by Tobias Oberstein on 2013-10-24
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
pyOpenSSL
New
Undecided
Unassigned

Bug Description

My immediate pain point is the lack of `SSL_OP_NO_COMPRESSION` and `SSL_OP_CIPHER_SERVER_PREFERENCE` in

```
>>> OpenSSL.__version__
'0.13.1'
>>> SSL.SSLeay_version(SSL.SSLEAY_VERSION)
'OpenSSL 1.0.1e-fips 11 Feb 2013'
>>>
```

It would be awesome to have just _all_ constants there (this is just excerpt from openssl header .. some of those are already exposed):

```
#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
/* Allow initial connection to servers that don't support RI */
#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
#define SSL_OP_TLS_D5_BUG 0x00000100L
#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L

/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
 * in OpenSSL 0.9.6d. Usually (depending on the application protocol)
 * the workaround is not needed. Unfortunately some broken SSL/TLS
 * implementations cannot handle it at all, which is why we include
 * it in SSL_OP_ALL. */
#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L /* added in 0.9.6e */

/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
 * This used to be 0x000FFFFFL before 0.9.7. */
#define SSL_OP_ALL 0x80000BFFL

/* DTLS options */
#define SSL_OP_NO_QUERY_MTU 0x00001000L
/* Turn on Cookie Exchange (on relevant for servers) */
#define SSL_OP_COOKIE_EXCHANGE 0x00002000L
/* Don't use RFC4507 ticket extension */
#define SSL_OP_NO_TICKET 0x00004000L
/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client) */
#define SSL_OP_CISCO_ANYCONNECT 0x00008000L

/* As server, disallow session resumption on renegotiation */
#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
/* Don't use compression even if supported */
#define SSL_OP_NO_COMPRESSION 0x00020000L
/* Permit unsafe legacy renegotiation */
#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
/* If set, always create a new key when using tmp_ecdh parameters */
#define SSL_OP_SINGLE_ECDH_USE 0x00080000L
/* If set, always create a new key when using tmp_dh parameters */
#define SSL_OP_SINGLE_DH_USE 0x00100000L
/* Set to always use the tmp_rsa key when doing RSA operations,
 * even when this violates protocol specs */
#define SSL_OP_EPHEMERAL_RSA 0x00200000L
/* Set on servers to choose the cipher according to the server's
 * preferences */
#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
/* If set, a server will allow a client to issue a SSLv3.0 version number
 * as latest version supported in the premaster secret, even when TLSv1.0
 * (version 3.1) was announced in the client hello. Normally this is
 * forbidden to prevent version rollback attacks. */
#define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L

#define SSL_OP_NO_SSLv2 0x01000000L
#define SSL_OP_NO_SSLv3 0x02000000L
#define SSL_OP_NO_TLSv1 0x04000000L
#define SSL_OP_NO_TLSv1_2 0x08000000L
#define SSL_OP_NO_TLSv1_1 0x10000000L

/* These next two were never actually used for anything since SSLeay
 * zap so we have some more flags.
 */
/* The next flag deliberately changes the ciphertest, this is a check
 * for the PKCS#1 attack */
#define SSL_OP_PKCS1_CHECK_1 0x0
#define SSL_OP_PKCS1_CHECK_2 0x0

#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L
#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
/* Make server add server-hello extension from early version of
 * cryptopro draft, when GOST ciphersuite is negotiated.
 * Required for interoperability with CryptoPro CSP 3.x
 */
#define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0x80000000L
```

Update: there are at least 4 constants that appear to be desirable:

```
SSL.OP_NO_COMPRESSION = 0x00020000L
SSL.OP_CIPHER_SERVER_PREFERENCE = 0x00400000L
SSL.OP_SINGLE_ECDH_USE = 0x00080000L
SSL.OP_SINGLE_DH_USE = 0x00100000L
```

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers