Commit 8d934c25 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

PR: 2171 

Submitted by: Tomas Mraz <tmraz@redhat.com>

Since SSLv2 doesn't support renegotiation at all don't reject it if
legacy renegotiation isn't enabled.

Also can now use SSL2 compatible client hello because RFC5746 supports it.
parent 1458b931

ssl/s23_clnt.c

+0 −3
Original line number Diff line number Diff line
@@ -311,9 +311,6 @@ static int ssl23_client_hello(SSL *s) 
			ssl2_compat = 0;

		if (s->tlsext_status_type != -1)

			ssl2_compat = 0;

		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))

			ssl2_compat = 0;

		

#ifdef TLSEXT_TYPE_opaque_prf_input

		if (s->ctx->tlsext_opaque_prf_input_callback != 0 || s->tlsext_opaque_prf_input != NULL)

			ssl2_compat = 0;

ssl/s23_srvr.c

+0 −5
Original line number Diff line number Diff line
@@ -509,11 +509,6 @@ int ssl23_get_client_hello(SSL *s) 
		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);

		goto err;

#else

		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))

			{

			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);

			goto err;

			}

		/* we are talking sslv2 */

		/* we need to clean up the SSLv3/TLSv1 setup and put in the

		 * sslv2 stuff. */