no need for empty fragments with TLS 1.1 and later due to explicit IV

author Dr. Stephen Henson <steve@openssl.org>

Sun, 27 Jun 2010 14:43:03 +0000 (14:43 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Sun, 27 Jun 2010 14:43:03 +0000 (14:43 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Sun, 27 Jun 2010 14:43:03 +0000 (14:43 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Sun, 27 Jun 2010 14:43:03 +0000 (14:43 +0000)
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c

index b5c3179c48b4d6fa50cab3b40c7ecba26a4f2c55..5446bb250dd66308d36f8ae2f3e19b1ed00b7fb8 100644 (file)
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -607,7 +607,8 @@ printf("\nkey block\n");
  { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
  #endif
  
-       if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
+       if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
+               && s->method->version <= TLS1_VERSION)
                 {
                 /* enable vulnerability countermeasure for CBC ciphers with
                  * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
author	Dr. Stephen Henson <steve@openssl.org>
	Sun, 27 Jun 2010 14:43:03 +0000 (14:43 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Sun, 27 Jun 2010 14:43:03 +0000 (14:43 +0000)