PR: 2811
authorDr. Stephen Henson <steve@openssl.org>
Fri, 11 May 2012 13:32:26 +0000 (13:32 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 11 May 2012 13:32:26 +0000 (13:32 +0000)
Reported by: Phil Pennock <openssl-dev@spodhuis.org>

Make renegotiation work for TLS 1.2, 1.1 by not using a lower record
version client hello workaround if renegotiating.

CHANGES
ssl/s3_pkt.c

diff --git a/CHANGES b/CHANGES
index c6d51b0bced64324062c4806de7c5d657a84f523..ef8dff4a002244b8a866453e2d8354efac7be96a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,9 @@
 
  Changes between 1.0.1c and 1.0.1d [xx XXX xxxx]
 
-  *)
+  *) Don't use TLS 1.0 record version number in initial client hello
+     if renegotiating.
+     [Steve Henson]
 
  Changes between 1.0.1b and 1.0.1c [10 May 2012]
 
index adf8c387cc0a504801211bfeece83e46b60b5f98..f71c03b58d52b7a4bffa1ea66c0654fdfe0d0617 100644 (file)
@@ -744,6 +744,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
         * bytes and record version number > TLS 1.0
         */
        if (s->state == SSL3_ST_CW_CLNT_HELLO_B
+                               && !s->renegotiate
                                && TLS1_get_version(s) > TLS1_VERSION)
                *(p++) = 0x1;
        else