Servers can't end up talking SSLv2 with legacy renegotiation disabled

author: Dr. Stephen Henson <steve@openssl.org> 2009-11-18 16:09:44 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2009-11-18 16:09:44 +0100
commit: 6cef3a7f9c5c26d7f75b53e77e25a0a64779a4af (patch)
tree: 99f440c5d035c295c3284adb745d410cc78b55a1 /ssl/s23_srvr.c
parent: Don't use SSLv2 compatible client hello if we don't tolerate legacy renegotia... (diff)
download: openssl-6cef3a7f9c5c26d7f75b53e77e25a0a64779a4af.tar.xz
openssl-6cef3a7f9c5c26d7f75b53e77e25a0a64779a4af.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 9d5481cd0e..773c0e38d8 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -488,6 +488,11 @@ int ssl23_get_client_hello(SSL *s)
 		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
 		goto err;
 #else
+		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+			{
+			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+			goto err;
+			}
 		/* we are talking sslv2 */
 		/* we need to clean up the SSLv3/TLSv1 setup and put in the
 		 * sslv2 stuff. */
author	Dr. Stephen Henson <steve@openssl.org>	2009-11-18 16:09:44 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2009-11-18 16:09:44 +0100
commit	6cef3a7f9c5c26d7f75b53e77e25a0a64779a4af (patch)
tree	99f440c5d035c295c3284adb745d410cc78b55a1 /ssl/s23_srvr.c
parent	Don't use SSLv2 compatible client hello if we don't tolerate legacy renegotia... (diff)
download	openssl-6cef3a7f9c5c26d7f75b53e77e25a0a64779a4af.tar.xz openssl-6cef3a7f9c5c26d7f75b53e77e25a0a64779a4af.zip