Servers can't end up talking SSLv2 with legacy renegotiation disabled

author Dr. Stephen Henson <steve@openssl.org>

Wed, 18 Nov 2009 15:08:49 +0000 (15:08 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Wed, 18 Nov 2009 15:08:49 +0000 (15:08 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Wed, 18 Nov 2009 15:08:49 +0000 (15:08 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Wed, 18 Nov 2009 15:08:49 +0000 (15:08 +0000)
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c

index ba06e7ae2eb93c1a1fff14a3dd05549785d365b5..73b7e610e004cae1babe9886ebd381ab5ff89878 100644 (file)
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -486,6 +486,11 @@ int ssl23_get_client_hello(SSL *s)
                 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
                 goto err;
  #else
+               if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+                       {
+                       SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+                       goto err;
+                       }
                 /* we are talking sslv2 */
                 /* we need to clean up the SSLv3/TLSv1 setup and put in the
                  * sslv2 stuff. */
author	Dr. Stephen Henson <steve@openssl.org>
	Wed, 18 Nov 2009 15:08:49 +0000 (15:08 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Wed, 18 Nov 2009 15:08:49 +0000 (15:08 +0000)