WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.

Commit 8d934c25 authored Feb 16, 2010 by Dr. Stephen Henson

PR: 2171

Submitted by: Tomas Mraz <tmraz@redhat.com>

Since SSLv2 doesn't support renegotiation at all don't reject it if
legacy renegotiation isn't enabled.

Also can now use SSL2 compatible client hello because RFC5746 supports it.

parent 1458b931

ssl/s23_clnt.c

+0 −3

Original line number	Diff line number	Diff line
		@@ -311,9 +311,6 @@ static int ssl23_client_hello(SSL *s)
		ssl2_compat = 0;
		if (s->tlsext_status_type != -1)
		ssl2_compat = 0;
		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
		ssl2_compat = 0;

		#ifdef TLSEXT_TYPE_opaque_prf_input
		if (s->ctx->tlsext_opaque_prf_input_callback != 0 \|\| s->tlsext_opaque_prf_input != NULL)
		ssl2_compat = 0;

ssl/s23_srvr.c

+0 −5

Original line number	Diff line number	Diff line
		@@ -509,11 +509,6 @@ int ssl23_get_client_hello(SSL *s)
		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
		goto err;
		#else
		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
		{
		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
		goto err;
		}
		/* we are talking sslv2 */
		/* we need to clean up the SSLv3/TLSv1 setup and put in the
		* sslv2 stuff. */