diff options
| author | beck <> | 2016-07-16 04:42:35 +0000 |
|---|---|---|
| committer | beck <> | 2016-07-16 04:42:35 +0000 |
| commit | b5fe48fb6c0a46375c817cf66a0fd7d6f5f3619c (patch) | |
| tree | 259627f0e007caaa69d7f9450432088108417414 /src/lib | |
| parent | 7d99259efcdd121323a579a2a013260472aed9a7 (diff) | |
| download | openbsd-b5fe48fb6c0a46375c817cf66a0fd7d6f5f3619c.tar.gz openbsd-b5fe48fb6c0a46375c817cf66a0fd7d6f5f3619c.tar.bz2 openbsd-b5fe48fb6c0a46375c817cf66a0fd7d6f5f3619c.zip | |
Limit the support of the "backward compatible" ssl2 handshake to only be
used if TLS 1.0 is enabled. Sugessted/discussed with jsing@ and bcook@.
ok guenther@ sthen@
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libssl/s23_srvr.c | 10 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/s23_srvr.c | 10 |
2 files changed, 18 insertions, 2 deletions
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c index 2e63cfc830..ed476c70d1 100644 --- a/src/lib/libssl/s23_srvr.c +++ b/src/lib/libssl/s23_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s23_srvr.c,v 1.46 2015/10/25 15:49:04 doug Exp $ */ | 1 | /* $OpenBSD: s23_srvr.c,v 1.47 2016/07/16 04:42:35 beck Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -352,6 +352,14 @@ ssl23_get_client_hello(SSL *s) | |||
| 352 | /* we have SSLv3/TLSv1 in an SSLv2 header | 352 | /* we have SSLv3/TLSv1 in an SSLv2 header |
| 353 | * (other cases skip this state) */ | 353 | * (other cases skip this state) */ |
| 354 | 354 | ||
| 355 | /* | ||
| 356 | * Limit the support of "backward compatible" headers | ||
| 357 | * only to "backward" versions of TLS. If we have moved | ||
| 358 | * on to modernity, just say no. | ||
| 359 | */ | ||
| 360 | if (s->options & SSL_OP_NO_TLSv1) | ||
| 361 | goto unsupported; | ||
| 362 | |||
| 355 | type = 2; | 363 | type = 2; |
| 356 | p = s->packet; | 364 | p = s->packet; |
| 357 | v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ | 365 | v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ |
diff --git a/src/lib/libssl/src/ssl/s23_srvr.c b/src/lib/libssl/src/ssl/s23_srvr.c index 2e63cfc830..ed476c70d1 100644 --- a/src/lib/libssl/src/ssl/s23_srvr.c +++ b/src/lib/libssl/src/ssl/s23_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s23_srvr.c,v 1.46 2015/10/25 15:49:04 doug Exp $ */ | 1 | /* $OpenBSD: s23_srvr.c,v 1.47 2016/07/16 04:42:35 beck Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -352,6 +352,14 @@ ssl23_get_client_hello(SSL *s) | |||
| 352 | /* we have SSLv3/TLSv1 in an SSLv2 header | 352 | /* we have SSLv3/TLSv1 in an SSLv2 header |
| 353 | * (other cases skip this state) */ | 353 | * (other cases skip this state) */ |
| 354 | 354 | ||
| 355 | /* | ||
| 356 | * Limit the support of "backward compatible" headers | ||
| 357 | * only to "backward" versions of TLS. If we have moved | ||
| 358 | * on to modernity, just say no. | ||
| 359 | */ | ||
| 360 | if (s->options & SSL_OP_NO_TLSv1) | ||
| 361 | goto unsupported; | ||
| 362 | |||
| 355 | type = 2; | 363 | type = 2; |
| 356 | p = s->packet; | 364 | p = s->packet; |
| 357 | v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ | 365 | v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ |