diff options
Diffstat (limited to 'src/lib/libssl/s3_srvr.c')
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 34 |
1 files changed, 20 insertions, 14 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 398ce469d6..80b45eb86f 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -902,22 +902,28 @@ int ssl3_get_client_hello(SSL *s) | |||
| 902 | break; | 902 | break; |
| 903 | } | 903 | } |
| 904 | } | 904 | } |
| 905 | if (j == 0) | 905 | if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) |
| 906 | { | 906 | { |
| 907 | if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) | 907 | /* Special case as client bug workaround: the previously used cipher may |
| 908 | { | 908 | * not be in the current list, the client instead might be trying to |
| 909 | /* Very bad for multi-threading.... */ | 909 | * continue using a cipher that before wasn't chosen due to server |
| 910 | s->session->cipher=sk_SSL_CIPHER_value(ciphers, 0); | 910 | * preferences. We'll have to reject the connection if the cipher is not |
| 911 | } | 911 | * enabled, though. */ |
| 912 | else | 912 | c = sk_SSL_CIPHER_value(ciphers, 0); |
| 913 | if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) | ||
| 913 | { | 914 | { |
| 914 | /* we need to have the cipher in the cipher | 915 | s->session->cipher = c; |
| 915 | * list if we are asked to reuse it */ | 916 | j = 1; |
| 916 | al=SSL_AD_ILLEGAL_PARAMETER; | ||
| 917 | SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); | ||
| 918 | goto f_err; | ||
| 919 | } | 917 | } |
| 920 | } | 918 | } |
| 919 | if (j == 0) | ||
| 920 | { | ||
| 921 | /* we need to have the cipher in the cipher | ||
| 922 | * list if we are asked to reuse it */ | ||
| 923 | al=SSL_AD_ILLEGAL_PARAMETER; | ||
| 924 | SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); | ||
| 925 | goto f_err; | ||
| 926 | } | ||
| 921 | } | 927 | } |
| 922 | 928 | ||
| 923 | /* compression */ | 929 | /* compression */ |
| @@ -2560,7 +2566,7 @@ int ssl3_get_client_certificate(SSL *s) | |||
| 2560 | else | 2566 | else |
| 2561 | { | 2567 | { |
| 2562 | i=ssl_verify_cert_chain(s,sk); | 2568 | i=ssl_verify_cert_chain(s,sk); |
| 2563 | if (!i) | 2569 | if (i <= 0) |
| 2564 | { | 2570 | { |
| 2565 | al=ssl_verify_alarm_type(s->verify_result); | 2571 | al=ssl_verify_alarm_type(s->verify_result); |
| 2566 | SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); | 2572 | SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); |