From: Dr. Stephen Henson <steve@openssl.org>
Date: Wed, 18 Nov 2009 14:45:32 +0000 (+0000)
Subject: Don't use SSLv2 compatible client hello if we don't tolerate legacy renegotiation
X-Git-Tag: OpenSSL_1_0_0-beta5~82
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=5ddbb8f41a05bba28d4746c63bcd3e654387596f;p=oweals%2Fopenssl.git

Don't use SSLv2 compatible client hello if we don't tolerate legacy renegotiation
---

diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 20cde4f20f..53e080ee8e 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -305,6 +305,8 @@ static int ssl23_client_hello(SSL *s)
 			ssl2_compat = 0;
 		if (s->tlsext_status_type != -1)
 			ssl2_compat = 0;
+		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+			ssl2_compat = 0;
 		
 #ifdef TLSEXT_TYPE_opaque_prf_input
 		if (s->ctx->tlsext_opaque_prf_input_callback != 0 || s->tlsext_opaque_prf_input != NULL)