1 files changed, 8 insertions, 0 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 80b45eb86f..79f3706c31 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -718,6 +718,14 @@ int ssl3_get_client_hello(SSL *s)
 #endif
        STACK_OF(SSL_CIPHER) *ciphers=NULL;
+        if (s->new_session
+            && !(s->s3->flags&SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+                {
+                al=SSL_AD_HANDSHAKE_FAILURE;
+                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+                goto f_err;
+                }
        /* We do this so that we will respond with our native type.
         * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
         * This down switching should be handled by a different method.

diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 80b45eb86f..79f3706c31 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c
@@ -718,6 +718,14 @@ int ssl3_get_client_hello(SSL *s)
718	#endif	718	#endif
719	STACK_OF(SSL_CIPHER) *ciphers=NULL;	719	STACK_OF(SSL_CIPHER) *ciphers=NULL;
720		720
		721	if (s->new_session
		722	&& !(s->s3->flags&SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
		723	{
		724	al=SSL_AD_HANDSHAKE_FAILURE;
		725	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
		726	goto f_err;
		727	}
		728
721	/* We do this so that we will respond with our native type.	729	/* We do this so that we will respond with our native type.
722	* If we are TLSv1 and we get SSLv3, we will respond with TLSv1,	730	* If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
723	* This down switching should be handled by a different method.	731	* This down switching should be handled by a different method.