From: Dr. Stephen Henson Date: Sun, 27 Jun 2010 14:43:03 +0000 (+0000) Subject: no need for empty fragments with TLS 1.1 and later due to explicit IV X-Git-Tag: OpenSSL-fips-2_0-rc1~1067 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=9674de7d3d09a0280961de5648a44ef9b029d64b;p=oweals%2Fopenssl.git no need for empty fragments with TLS 1.1 and later due to explicit IV --- diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index b5c3179c48..5446bb250d 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -607,7 +607,8 @@ printf("\nkey block\n"); { int z; for (z=0; zoptions & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) + if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) + && s->method->version <= TLS1_VERSION) { /* enable vulnerability countermeasure for CBC ciphers with * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)