WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.

Commit 8511b5f5 authored Dec 24, 2013 by Dr. Stephen Henson

Don't change version number if session established

When sending an invalid version number alert don't change the
version number to the client version if a session is already
established.

Thanks to Marek Majkowski for additional analysis of this issue.

PR#3191
(cherry picked from commit b77b58a3)

parent 546d6760

ssl/s3_pkt.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -337,7 +337,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
		if (version != s->version)
		{
		SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
		if ((s->version & 0xFF00) == (version & 0xFF00))
		if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)
		/* Send back error using their minor version number :-) */
		s->version = (unsigned short)version;
		al=SSL_AD_PROTOCOL_VERSION;

ssl/s3_srvr.c

+5 −4

Original line number	Diff line number	Diff line
		@@ -968,12 +968,13 @@ int ssl3_get_client_hello(SSL *s)
		s->client_version=(((int)p[0])<<8)\|(int)p[1];
		p+=2;

		if ((SSL_IS_DTLS(s) && s->client_version > s->version
		&& s->method->version != DTLS_ANY_VERSION) \|\|
		(!SSL_IS_DTLS(s) && s->client_version < s->version))
		if (SSL_IS_DTLS(s) ? (s->client_version > s->version &&
		s->method->version != DTLS_ANY_VERSION)
		: (s->client_version < s->version))
		{
		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
		if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
		if ((s->client_version>>8) == SSL3_VERSION_MAJOR &&
		!s->enc_write_ctx && !s->write_hash)
		{
		/* similar to ssl3_get_record, send alert using remote version number */
		s->version = s->client_version;