From 30ea4f0a44f8383a49db321f0055b9971b9f2d67 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Sun, 13 Aug 2017 16:28:45 +0000 Subject: Remove support for the TLS padding extension. This was added as a workaround for broken F5 TLS termination, which then created issues talking to broken IronPorts. The size of the padding is hardcoded so it cannot be used in any generic sense. ok bcook@ beck@ doug@ --- src/lib/libssl/t1_lib.c | 36 +----------------------------------- 1 file changed, 1 insertion(+), 35 deletions(-) (limited to 'src/lib/libssl/t1_lib.c') diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index b8b54484ed..c141dcef31 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.132 2017/08/13 16:25:19 jsing Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.133 2017/08/13 16:28:45 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -720,40 +720,6 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) } #endif - /* - * Add padding to workaround bugs in F5 terminators. - * See https://tools.ietf.org/html/draft-agl-tls-padding-03 - * - * Note that this seems to trigger issues with IronPort SMTP - * appliances. - * - * NB: because this code works out the length of all existing - * extensions it MUST always appear last. - */ - if (s->internal->options & SSL_OP_TLSEXT_PADDING) { - int hlen = ret - (unsigned char *)s->internal->init_buf->data; - - /* - * The code in s23_clnt.c to build ClientHello messages - * includes the 5-byte record header in the buffer, while the - * code in s3_clnt.c does not. - */ - if (S3I(s)->hs.state == SSL23_ST_CW_CLNT_HELLO_A) - hlen -= 5; - if (hlen > 0xff && hlen < 0x200) { - hlen = 0x200 - hlen; - if (hlen >= 4) - hlen -= 4; - else - hlen = 0; - - s2n(TLSEXT_TYPE_padding, ret); - s2n(hlen, ret); - memset(ret, 0, hlen); - ret += hlen; - } - } - if ((extdatalen = ret - p - 2) == 0) return p; -- cgit v1.2.3-55-g6feb