commit a04fa4fa040e02d2588bb82f75b19ba94a10d26e
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Sun Jul 13 16:16:44 2014 +0200
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu Aug 14 11:34:34 2014 +0200
tree 6091a94675cdd92f1028be0274b66fdb961e755e
parent e46aa5e336dfdbc302044f0c5451abdd2e98ddb6

RSA-PSK key exchange requires TLS 1.x

It's not clear if, with SSL3, one should include send the two length bytes for
EncryptedPreMasterSecret or not, so require TLS to avoid interop issues.

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index 58f8809..cb1be26 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,8 @@
 Changes
    * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
      standard defining how to use SHA-2 with SSL 3.0).
+   * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
+     ambiguous on how to encode some packets with SSL 3.0).
 
 = PolarSSL 1.3.8 released 2014-07-11
 Security

library/ssl_ciphersuites.c

diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 84e8120..b05b8dd 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -1444,13 +1444,13 @@
 #if defined(POLARSSL_SHA1_C)
     { TLS_RSA_PSK_WITH_AES_128_CBC_SHA, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA",
       POLARSSL_CIPHER_AES_128_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
-      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
+      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
       SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
       0 },
 
     { TLS_RSA_PSK_WITH_AES_256_CBC_SHA, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA",
       POLARSSL_CIPHER_AES_256_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
-      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
+      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
       SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
       0 },
 #endif /* POLARSSL_SHA1_C */
@@ -1500,7 +1500,7 @@
 #if defined(POLARSSL_SHA1_C)
     { TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA",
       POLARSSL_CIPHER_DES_EDE3_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
-      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
+      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
       SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
       0 },
 #endif /* POLARSSL_SHA1_C */
@@ -1511,7 +1511,7 @@
 #if defined(POLARSSL_SHA1_C)
     { TLS_RSA_PSK_WITH_RC4_128_SHA, "TLS-RSA-PSK-WITH-RC4-128-SHA",
       POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
-      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
+      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
       SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
       0 },
 #endif /* POLARSSL_SHA1_C */
@@ -1628,7 +1628,7 @@
 #if defined(POLARSSL_SHA1_C)
     { TLS_RSA_PSK_WITH_NULL_SHA, "TLS-RSA-PSK-WITH-NULL-SHA",
       POLARSSL_CIPHER_NULL, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK,
-      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0,
+      SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1,
       SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
       POLARSSL_CIPHERSUITE_WEAK },
 #endif /* POLARSSL_SHA1_C */