From: Dr. Stephen Henson <steve@openssl.org>
Date: Sun, 27 Jun 2010 14:42:43 +0000 (+0000)
Subject: no need for empty fragments with TLS 1.1 and later due to explicit IV
X-Git-Tag: OpenSSL_1_0_1-beta1~502
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=28566b4966ead6d828e3f5095ee15feb4744ed96;p=oweals%2Fopenssl.git

no need for empty fragments with TLS 1.1 and later due to explicit IV
---

diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index b5c3179c48..5446bb250d 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -607,7 +607,8 @@ printf("\nkey block\n");
 { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
 #endif
 
-	if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
+	if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
+		&& s->method->version <= TLS1_VERSION)
 		{
 		/* enable vulnerability countermeasure for CBC ciphers with
 		 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)