Fix version handling so it can cope with a major version >3.
authorDr. Stephen Henson <steve@openssl.org>
Wed, 13 Jan 2010 19:08:45 +0000 (19:08 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 13 Jan 2010 19:08:45 +0000 (19:08 +0000)
Although it will be many years before TLS v2.0 or later appears old versions
of servers have a habit of hanging around for a considerable time so best
if we handle this properly now.

CHANGES
ssl/s23_srvr.c

diff --git a/CHANGES b/CHANGES
index 85c5bd8698752e1e9617c5085f47bba29e82eeaa..5e71187a7c7e8190862434ae365356fef3daa459 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 0.9.8l (?) and 0.9.8m (?)  [xx XXX xxxx]
 
+  *) Handle TLS versions 2.0 and later properly and correctly use the
+     highest version of TLS/SSL supported. Although TLS >= 2.0 is some way
+     off ancient servers have a habit of sticking around for a while...
+     [Steve Henson]
+
   *) Modify compression code so it frees up structures without using the
      ex_data callbacks. This works around a problem where some applications
      call CRYPTO_free_all_ex_data() before application exit (e.g. when
index 73b7e610e004cae1babe9886ebd381ab5ff89878..a3fc34d64a31de95a486a9964f64a30091f6eed7 100644 (file)
@@ -315,7 +315,7 @@ int ssl23_get_client_hello(SSL *s)
                         (p[1] == SSL3_VERSION_MAJOR) &&
                         (p[5] == SSL3_MT_CLIENT_HELLO) &&
                         ((p[3] == 0 && p[4] < 5 /* silly record length? */)
-                               || (p[9] == p[1])))
+                               || (p[9] >= p[1])))
                        {
                        /*
                         * SSLv3 or tls1 header
@@ -339,6 +339,13 @@ int ssl23_get_client_hello(SSL *s)
                                v[1] = TLS1_VERSION_MINOR;
 #endif
                                }
+                       /* if major version number > 3 set minor to a value
+                        * which will use the highest version 3 we support.
+                        * If TLS 2.0 ever appears we will need to revise
+                        * this....
+                        */
+                       else if (p[9] > SSL3_VERSION_MAJOR)
+                               v[1]=0xff;
                        else
                                v[1]=p[10]; /* minor version according to client_version */
                        if (v[1] >= TLS1_VERSION_MINOR)