From cd08fd7b7f7dd206dc05c7e18941b10aef11ab9a Mon Sep 17 00:00:00 2001
From: beck <>
Date: Wed, 16 Apr 2014 18:05:55 +0000
Subject: Thanks to the knobs in http://tools.ietf.org/html/rfc5746, we have a
 knob to say "allow this connection to negotiate insecurely". de-fang the code
 that respects this option to ignore it. ok miod@

---
 src/lib/libssl/t1_lib.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'src/lib/libssl/t1_lib.c')

diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 417b90381b..c4eeb7a41d 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1296,8 +1296,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
 
 	/* Need RI if renegotiating */
 
-	if (!renegotiate_seen && s->renegotiate &&
-		!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
+	if (!renegotiate_seen && s->renegotiate) {
 		*al = SSL_AD_HANDSHAKE_FAILURE;
 		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
 		SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
@@ -1533,8 +1532,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
 	 * absence on initial connect only.
 	 */
 	if (!renegotiate_seen
-		&& !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
-	&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
+	    && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
 		*al = SSL_AD_HANDSHAKE_FAILURE;
 		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
 		SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
-- 
cgit v1.2.3-55-g6feb