From b362ccab5c1d52086f19d29a32f4acc11073b86b Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 15 Dec 2013 13:32:24 +0000 Subject: Security framework. Security callback: selects which parameters are permitted including sensible defaults based on bits of security. The "parameters" which can be selected include: ciphersuites, curves, key sizes, certificate signature algorithms, supported signature algorithms, DH parameters, SSL/TLS version, session tickets and compression. In some cases prohibiting the use of a parameters will mean they are not advertised to the peer: for example cipher suites and ECC curves. In other cases it will abort the handshake: e.g DH parameters or the peer key size. Documentation to follow... --- ssl/s23_srvr.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'ssl/s23_srvr.c') diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 9d47c22cb8..cb2b138f08 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -441,6 +441,12 @@ int ssl23_get_client_hello(SSL *s) } #endif + if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) + { + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_VERSION_TOO_LOW); + goto err; + } + if (s->state == SSL23_ST_SR_CLNT_HELLO_B) { /* we have SSLv3/TLSv1 in an SSLv2 header -- cgit v1.2.3