Servers can't end up talking SSLv2 with legacy renegotiation disabled

author Dr. Stephen Henson <steve@openssl.org>

Wed, 18 Nov 2009 15:09:35 +0000 (15:09 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Wed, 18 Nov 2009 15:09:35 +0000 (15:09 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Wed, 18 Nov 2009 15:09:35 +0000 (15:09 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Wed, 18 Nov 2009 15:09:35 +0000 (15:09 +0000)
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c

index 9d5481cd0e020c07a150cf04f70e4a76411c2b41..773c0e38d81e581d7d397ba6c9624a4a3d8c13f5 100644 (file)
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -488,6 +488,11 @@ int ssl23_get_client_hello(SSL *s)
                 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
                 goto err;
  #else
+               if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+                       {
+                       SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+                       goto err;
+                       }
                 /* we are talking sslv2 */
                 /* we need to clean up the SSLv3/TLSv1 setup and put in the
                  * sslv2 stuff. */
author	Dr. Stephen Henson <steve@openssl.org>
	Wed, 18 Nov 2009 15:09:35 +0000 (15:09 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Wed, 18 Nov 2009 15:09:35 +0000 (15:09 +0000)