From: Tomas Mraz <tmraz@redhat.com>
Date: Fri, 27 Jun 2014 15:49:22 +0000 (+0100)
Subject: Don't advertise ECC ciphersuits in SSLv2 compatible client hello.
X-Git-Tag: OpenSSL_1_0_1i~80
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=cf0156622a50df3f5fa9ba98bdbf6935fa0769d9;p=oweals%2Fopenssl.git

Don't advertise ECC ciphersuits in SSLv2 compatible client hello.

PR#3374
(cherry picked from commit 0436369fccd128cb7f6a8538d5fed1c876c437af)
---

diff --git a/ssl/s23_lib.c b/ssl/s23_lib.c
index 3bf728318a..f3c29d1dde 100644
--- a/ssl/s23_lib.c
+++ b/ssl/s23_lib.c
@@ -107,6 +107,13 @@ int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
 	long l;
 
 	/* We can write SSLv2 and SSLv3 ciphers */
+	/* but no ECC ciphers */
+	if (c->algorithm_mkey == SSL_kECDHr ||
+		c->algorithm_mkey == SSL_kECDHe ||
+		c->algorithm_mkey == SSL_kEECDH ||
+		c->algorithm_auth == SSL_aECDH ||
+		c->algorithm_auth == SSL_aECDSA)
+		return 0;
 	if (p != NULL)
 		{
 		l=c->id;