diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2016-07-16 04:42:36 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2016-07-16 04:42:36 +0000 |
| commit | 4eee0c04684e5b7e6d77fa628bb54f65e5e3bf6d (patch) | |
| tree | 300dd041c9d8a533773de2d06ce8d4d3667aa50d /lib/libssl | |
| parent | 6e0b9746711de3124881e28c2357f430c4f07122 (diff) | |
Limit the support of the "backward compatible" ssl2 handshake to only be
used if TLS 1.0 is enabled. Sugessted/discussed with jsing@ and bcook@.
ok guenther@ sthen@
Diffstat (limited to 'lib/libssl')
| -rw-r--r-- | lib/libssl/src/ssl/s23_srvr.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/libssl/src/ssl/s23_srvr.c b/lib/libssl/src/ssl/s23_srvr.c index 2e63cfc830d..ed476c70d16 100644 --- a/lib/libssl/src/ssl/s23_srvr.c +++ b/lib/libssl/src/ssl/s23_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s23_srvr.c,v 1.46 2015/10/25 15:49:04 doug Exp $ */ +/* $OpenBSD: s23_srvr.c,v 1.47 2016/07/16 04:42:35 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -352,6 +352,14 @@ ssl23_get_client_hello(SSL *s) /* we have SSLv3/TLSv1 in an SSLv2 header * (other cases skip this state) */ + /* + * Limit the support of "backward compatible" headers + * only to "backward" versions of TLS. If we have moved + * on to modernity, just say no. + */ + if (s->options & SSL_OP_NO_TLSv1) + goto unsupported; + type = 2; p = s->packet; v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ |