diff options
author | Bob Beck <beck@cvs.openbsd.org> | 2014-04-16 18:05:56 +0000 |
---|---|---|
committer | Bob Beck <beck@cvs.openbsd.org> | 2014-04-16 18:05:56 +0000 |
commit | 05aa7130e31f4c2e42fdf88a7ab7480a14ffc2e4 (patch) | |
tree | 136dff2cc9fb2ef49a50690047e9cbe263c283c7 /lib | |
parent | bcf48fa2e38a77f66288a47a0281719e545262d3 (diff) |
Thanks to the knobs in http://tools.ietf.org/html/rfc5746, we have a knob
to say "allow this connection to negotiate insecurely". de-fang the code
that respects this option to ignore it.
ok miod@
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libssl/s3_srvr.c | 4 | ||||
-rw-r--r-- | lib/libssl/t1_lib.c | 6 |
2 files changed, 3 insertions, 7 deletions
diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index 93510cb58ae..1a924f828e5 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -269,9 +269,7 @@ ssl3_accept(SSL *s) ssl3_init_finished_mac(s); s->state = SSL3_ST_SR_CLNT_HELLO_A; s->ctx->stats.sess_accept++; - } else if (!s->s3->send_connection_binding && - !(s->options & - SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { + } else if (!s->s3->send_connection_binding) { /* * Server attempting to renegotiate with * client that doesn't support secure diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 417b90381b5..c4eeb7a41d2 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -1296,8 +1296,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, /* Need RI if renegotiating */ - if (!renegotiate_seen && s->renegotiate && - !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { + if (!renegotiate_seen && s->renegotiate) { *al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); @@ -1533,8 +1532,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, * absence on initial connect only. */ if (!renegotiate_seen - && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) - && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { + && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { *al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); |