summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorBob Beck <beck@cvs.openbsd.org>2014-04-16 18:05:56 +0000
committerBob Beck <beck@cvs.openbsd.org>2014-04-16 18:05:56 +0000
commit05aa7130e31f4c2e42fdf88a7ab7480a14ffc2e4 (patch)
tree136dff2cc9fb2ef49a50690047e9cbe263c283c7 /lib
parentbcf48fa2e38a77f66288a47a0281719e545262d3 (diff)
Thanks to the knobs in http://tools.ietf.org/html/rfc5746, we have a knob
to say "allow this connection to negotiate insecurely". de-fang the code that respects this option to ignore it. ok miod@
Diffstat (limited to 'lib')
-rw-r--r--lib/libssl/s3_srvr.c4
-rw-r--r--lib/libssl/t1_lib.c6
2 files changed, 3 insertions, 7 deletions
diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c
index 93510cb58ae..1a924f828e5 100644
--- a/lib/libssl/s3_srvr.c
+++ b/lib/libssl/s3_srvr.c
@@ -269,9 +269,7 @@ ssl3_accept(SSL *s)
ssl3_init_finished_mac(s);
s->state = SSL3_ST_SR_CLNT_HELLO_A;
s->ctx->stats.sess_accept++;
- } else if (!s->s3->send_connection_binding &&
- !(s->options &
- SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
+ } else if (!s->s3->send_connection_binding) {
/*
* Server attempting to renegotiate with
* client that doesn't support secure
diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c
index 417b90381b5..c4eeb7a41d2 100644
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c
@@ -1296,8 +1296,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
/* Need RI if renegotiating */
- if (!renegotiate_seen && s->renegotiate &&
- !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
+ if (!renegotiate_seen && s->renegotiate) {
*al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
@@ -1533,8 +1532,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
* absence on initial connect only.
*/
if (!renegotiate_seen
- && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
- && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
+ && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
*al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);