Skip to content
  1. Sep 07, 2017
    • Benjamin Kaduk's avatar
      Fix test_client_hello with no-tls1_2_method · 511fbc60
      Benjamin Kaduk authored
      
      
      The extensions not sent when TLS 1.2 is not used caused the message
      length to be 109, which is less than the 127 threshold needed
      to activate the F5 workaround.  Add another 20 bytes of dummy ALPN
      data do push it over the threshold.
      
      Also, fix the definition of the (unused) local macro indicating
      the threshold.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/4346)
      511fbc60
    • Benjamin Kaduk's avatar
      Restore historical behavior for absent ServerHello extensions · 1c259bb5
      Benjamin Kaduk authored
      In OpenSSL 1.1.0, when there were no extensions added to the ServerHello,
      we did not write the extension data length bytes to the end of the
      ServerHello; this is needed for compatibility with old client implementations
      that do not support TLS extensions (such as the default configuration of
      OpenSSL 0.9.8).  When ServerHello extension construction was converted
      to the new extensions framework in commit
      7da160b0
      
      , this behavior was inadvertently
      limited to cases when SSLv3 was negotiated (and similarly for ClientHellos),
      presumably since extensions are not defined at all for SSLv3.  However,
      extensions for TLS prior to TLS 1.3 have been defined in separate
      RFCs (6066, 4366, and 3546) from the TLS protocol specifications, and as such
      should be considered an optional protocol feature in those cases.
      
      Accordingly, be conservative in what we send, and skip the extensions block
      when there are no extensions to be sent, regardless of the TLS/SSL version.
      (TLS 1.3 requires extensions and can safely be treated differently.)
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
      (Merged from https://github.com/openssl/openssl/pull/4296)
      1c259bb5
  2. Sep 06, 2017
  3. Sep 05, 2017
  4. Sep 04, 2017
  5. Sep 03, 2017
  6. Sep 02, 2017
  7. Sep 01, 2017
  8. Aug 31, 2017