diff options
Diffstat (limited to 'src/lib/libssl/s3_srvr.c')
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 34 |
1 files changed, 14 insertions, 20 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 80b45eb86f..398ce469d6 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -902,27 +902,21 @@ int ssl3_get_client_hello(SSL *s) | |||
| 902 | break; | 902 | break; |
| 903 | } | 903 | } |
| 904 | } | 904 | } |
| 905 | if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) | ||
| 906 | { | ||
| 907 | /* Special case as client bug workaround: the previously used cipher may | ||
| 908 | * not be in the current list, the client instead might be trying to | ||
| 909 | * continue using a cipher that before wasn't chosen due to server | ||
| 910 | * preferences. We'll have to reject the connection if the cipher is not | ||
| 911 | * enabled, though. */ | ||
| 912 | c = sk_SSL_CIPHER_value(ciphers, 0); | ||
| 913 | if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) | ||
| 914 | { | ||
| 915 | s->session->cipher = c; | ||
| 916 | j = 1; | ||
| 917 | } | ||
| 918 | } | ||
| 919 | if (j == 0) | 905 | if (j == 0) |
| 920 | { | 906 | { |
| 921 | /* we need to have the cipher in the cipher | 907 | if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) |
| 922 | * list if we are asked to reuse it */ | 908 | { |
| 923 | al=SSL_AD_ILLEGAL_PARAMETER; | 909 | /* Very bad for multi-threading.... */ |
| 924 | SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); | 910 | s->session->cipher=sk_SSL_CIPHER_value(ciphers, 0); |
| 925 | goto f_err; | 911 | } |
| 912 | else | ||
| 913 | { | ||
| 914 | /* we need to have the cipher in the cipher | ||
| 915 | * list if we are asked to reuse it */ | ||
| 916 | al=SSL_AD_ILLEGAL_PARAMETER; | ||
| 917 | SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); | ||
| 918 | goto f_err; | ||
| 919 | } | ||
| 926 | } | 920 | } |
| 927 | } | 921 | } |
| 928 | 922 | ||
| @@ -2566,7 +2560,7 @@ int ssl3_get_client_certificate(SSL *s) | |||
| 2566 | else | 2560 | else |
| 2567 | { | 2561 | { |
| 2568 | i=ssl_verify_cert_chain(s,sk); | 2562 | i=ssl_verify_cert_chain(s,sk); |
| 2569 | if (i <= 0) | 2563 | if (!i) |
| 2570 | { | 2564 | { |
| 2571 | al=ssl_verify_alarm_type(s->verify_result); | 2565 | al=ssl_verify_alarm_type(s->verify_result); |
| 2572 | SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); | 2566 | SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); |