From: Dr. Stephen Henson Date: Wed, 18 Nov 2009 14:45:48 +0000 (+0000) Subject: Don't use SSLv2 compatible client hello if we don't tolerate legacy renegotiation X-Git-Tag: OpenSSL-fips-2_0-rc1~1430 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=4d09323a632e285966c06f69281c72ecc02d196c;p=oweals%2Fopenssl.git Don't use SSLv2 compatible client hello if we don't tolerate legacy renegotiation --- diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 20cde4f20f..53e080ee8e 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -305,6 +305,8 @@ static int ssl23_client_hello(SSL *s) ssl2_compat = 0; if (s->tlsext_status_type != -1) ssl2_compat = 0; + if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + ssl2_compat = 0; #ifdef TLSEXT_TYPE_opaque_prf_input if (s->ctx->tlsext_opaque_prf_input_callback != 0 || s->tlsext_opaque_prf_input != NULL)