Don't use SSLv2 compatible client hello if we don't tolerate legacy renegotiation

author Dr. Stephen Henson <steve@openssl.org>

Wed, 18 Nov 2009 14:43:27 +0000 (14:43 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Wed, 18 Nov 2009 14:43:27 +0000 (14:43 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Wed, 18 Nov 2009 14:43:27 +0000 (14:43 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Wed, 18 Nov 2009 14:43:27 +0000 (14:43 +0000)
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c

index de0238935a2f93bbaff8a4431cced9b805993a7e..70425997dff43723f32247e15beab5e9fe85b8c4 100644 (file)
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -235,6 +235,8 @@ static int ssl23_client_hello(SSL *s)
                         ssl2_compat = 0;
                 if (s->tlsext_status_type != -1)
                         ssl2_compat = 0;
+               if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+                       ssl2_compat = 0;
                 }
  #endif
author	Dr. Stephen Henson <steve@openssl.org>
	Wed, 18 Nov 2009 14:43:27 +0000 (14:43 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Wed, 18 Nov 2009 14:43:27 +0000 (14:43 +0000)