RSA-PSK key exchange requires TLS 1.x

It's not clear if, with SSL3, one should include send the two length bytes for EncryptedPreMasterSecret or not, so require TLS to avoid interop issues.
2024-11-22 05:35:38 +01:00 · 2014-07-13 16:16:44 +02:00 · 2014-07-13 16:16:44 +02:00 · a04fa4fa04
commit a04fa4fa04
parent e46aa5e336
2 changed files with 7 additions and 5 deletions
--- a/2
+++ b/2
@ -8,6 +8,8 @@ Bugfix
 Changes
   * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
     standard defining how to use SHA-2 with SSL 3.0).
+   * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
+     ambiguous on how to encode some packets with SSL 3.0).

 = PolarSSL 1.3.8 released 2014-07-11
 Security
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@ -1444,13 +1444,13 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
 #if defined(POLARSSL_SHA1_C)
    { TLS_RSA_PSK_WITH_AES_128_CBC_SHA, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA",
      POLARSSL_CIPHER_AES_128_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
-      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
+      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
      0 },

    { TLS_RSA_PSK_WITH_AES_256_CBC_SHA, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA",
      POLARSSL_CIPHER_AES_256_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
-      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
+      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
      0 },
 #endif /* POLARSSL_SHA1_C */
@ -1500,7 +1500,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
 #if defined(POLARSSL_SHA1_C)
    { TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA",
      POLARSSL_CIPHER_DES_EDE3_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
-      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
+      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
      0 },
 #endif /* POLARSSL_SHA1_C */
@ -1511,7 +1511,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
 #if defined(POLARSSL_SHA1_C)
    { TLS_RSA_PSK_WITH_RC4_128_SHA, "TLS-RSA-PSK-WITH-RC4-128-SHA",
      POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
-      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
+      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
      0 },
 #endif /* POLARSSL_SHA1_C */
@ -1628,7 +1628,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
 #if defined(POLARSSL_SHA1_C)
    { TLS_RSA_PSK_WITH_NULL_SHA, "TLS-RSA-PSK-WITH-NULL-SHA",
      POLARSSL_CIPHER_NULL, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
-      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
+      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
      POLARSSL_CIPHERSUITE_WEAK },
 #endif /* POLARSSL_SHA1_C */