diff options
| author | tb <> | 2023-07-11 17:02:47 +0000 |
|---|---|---|
| committer | tb <> | 2023-07-11 17:02:47 +0000 |
| commit | 4b13710d9ba5f958b4d970ae717d178937994f6e (patch) | |
| tree | 61c421dae85c6330404704532c753ffe12e4fed0 | |
| parent | ae481c84deba49b3a41609be1bf8a4e69e6f52d7 (diff) | |
| download | openbsd-4b13710d9ba5f958b4d970ae717d178937994f6e.tar.gz openbsd-4b13710d9ba5f958b4d970ae717d178937994f6e.tar.bz2 openbsd-4b13710d9ba5f958b4d970ae717d178937994f6e.zip | |
Remove old workaround for F5
F5 is well-known for needing workaround (go read RFC 8446). In this
particular case, it required implementation sending CHs larger than
255 bytes to 0x0300 otherwise their server would hang. This is the
same hang that required the CH padding extension which broke other
implementations. The CH padding extension was removed ~6 years ago,
so hopefully this kludge will no longer needed either.
ok jsing
| -rw-r--r-- | src/lib/libssl/ssl_pkt.c | 15 |
1 files changed, 2 insertions, 13 deletions
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c index 728ac141e5..2c33c45386 100644 --- a/src/lib/libssl/ssl_pkt.c +++ b/src/lib/libssl/ssl_pkt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_pkt.c,v 1.65 2022/11/26 16:08:56 tb Exp $ */ | 1 | /* $OpenBSD: ssl_pkt.c,v 1.66 2023/07/11 17:02:47 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -536,7 +536,6 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) | |||
| 536 | SSL_SESSION *sess = s->session; | 536 | SSL_SESSION *sess = s->session; |
| 537 | int need_empty_fragment = 0; | 537 | int need_empty_fragment = 0; |
| 538 | size_t align, out_len; | 538 | size_t align, out_len; |
| 539 | uint16_t version; | ||
| 540 | CBB cbb; | 539 | CBB cbb; |
| 541 | int ret; | 540 | int ret; |
| 542 | 541 | ||
| @@ -569,16 +568,6 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) | |||
| 569 | return 0; | 568 | return 0; |
| 570 | 569 | ||
| 571 | /* | 570 | /* |
| 572 | * Some servers hang if initial client hello is larger than 256 | ||
| 573 | * bytes and record version number > TLS 1.0. | ||
| 574 | */ | ||
| 575 | version = s->version; | ||
| 576 | if (s->s3->hs.state == SSL3_ST_CW_CLNT_HELLO_B && | ||
| 577 | !s->renegotiate && | ||
| 578 | s->s3->hs.our_max_tls_version > TLS1_VERSION) | ||
| 579 | version = TLS1_VERSION; | ||
| 580 | |||
| 581 | /* | ||
| 582 | * Countermeasure against known-IV weakness in CBC ciphersuites | 571 | * Countermeasure against known-IV weakness in CBC ciphersuites |
| 583 | * (see http://www.openssl.org/~bodo/tls-cbc.txt). Note that this | 572 | * (see http://www.openssl.org/~bodo/tls-cbc.txt). Note that this |
| 584 | * is unnecessary for AEAD. | 573 | * is unnecessary for AEAD. |
| @@ -604,7 +593,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) | |||
| 604 | if (!CBB_init_fixed(&cbb, wb->buf + align, wb->len - align)) | 593 | if (!CBB_init_fixed(&cbb, wb->buf + align, wb->len - align)) |
| 605 | goto err; | 594 | goto err; |
| 606 | 595 | ||
| 607 | tls12_record_layer_set_version(s->rl, version); | 596 | tls12_record_layer_set_version(s->rl, s->version); |
| 608 | 597 | ||
| 609 | if (need_empty_fragment) { | 598 | if (need_empty_fragment) { |
| 610 | if (!tls12_record_layer_seal_record(s->rl, type, | 599 | if (!tls12_record_layer_seal_record(s->rl, type, |