diff options
| author | jasper <> | 2010-12-15 09:42:29 +0000 |
|---|---|---|
| committer | jasper <> | 2010-12-15 09:42:29 +0000 |
| commit | 2bc6547e9d767adbb1235c01feedc6de29891672 (patch) | |
| tree | 672e8843411e32cff72a805ee8788b2b70c33693 /src/lib/libssl/s3_clnt.c | |
| parent | 599896ad39d588050b6fe1e7460764e63c9edbce (diff) | |
| download | openbsd-2bc6547e9d767adbb1235c01feedc6de29891672.tar.gz openbsd-2bc6547e9d767adbb1235c01feedc6de29891672.tar.bz2 openbsd-2bc6547e9d767adbb1235c01feedc6de29891672.zip | |
Security fix for CVE-2010-4180 as mentioned in http://www.openssl.org/news/secadv_20101202.txt.
where clients could modify the stored session
cache ciphersuite and in some cases even downgrade the suite to weaker ones.
This code is not enabled by default.
ok djm@
Diffstat (limited to 'src/lib/libssl/s3_clnt.c')
| -rw-r--r-- | src/lib/libssl/s3_clnt.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 41769febab..8cc291b922 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c | |||
| @@ -866,8 +866,11 @@ int ssl3_get_server_hello(SSL *s) | |||
| 866 | s->session->cipher_id = s->session->cipher->id; | 866 | s->session->cipher_id = s->session->cipher->id; |
| 867 | if (s->hit && (s->session->cipher_id != c->id)) | 867 | if (s->hit && (s->session->cipher_id != c->id)) |
| 868 | { | 868 | { |
| 869 | /* Workaround is now obsolete */ | ||
| 870 | #if 0 | ||
| 869 | if (!(s->options & | 871 | if (!(s->options & |
| 870 | SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) | 872 | SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) |
| 873 | #endif | ||
| 871 | { | 874 | { |
| 872 | al=SSL_AD_ILLEGAL_PARAMETER; | 875 | al=SSL_AD_ILLEGAL_PARAMETER; |
| 873 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); | 876 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); |