From 293706e72c314b0155f4e7062e57db4b48d0e60e Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 17 Apr 2012 13:21:19 +0000 Subject: [PATCH] Partial workaround for PR#2771. Some servers hang when presented with a client hello record length exceeding 255 bytes but will work with longer client hellos if the TLS record version in client hello does not exceed TLS v1.0. Unfortunately this doesn't fix all cases... --- ssl/s23_clnt.c | 9 +++++++-- ssl/s3_pkt.c | 9 ++++++++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index b3c48232d7..299af0f03a 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -521,8 +521,13 @@ static int ssl23_client_hello(SSL *s) d=buf; *(d++) = SSL3_RT_HANDSHAKE; *(d++) = version_major; - *(d++) = version_minor; /* arguably we should send the *lowest* suported version here - * (indicating, e.g., TLS 1.0 in "SSL 3.0 format") */ + /* Some servers hang if we use long client hellos + * and a record number > TLS 1.0. + */ + if (TLS1_get_client_version(s) > TLS1_VERSION) + *(d++) = 1; + else + *(d++) = version_minor; s2n((int)l,d); /* number of bytes to write */ diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index ca5412dc2a..2d569cc1ce 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -740,7 +740,14 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, wr->type=type; *(p++)=(s->version>>8); - *(p++)=s->version&0xff; + /* Some servers hang if iniatial client hello is larger than 256 + * bytes and record version number > TLS 1.0 + */ + if (s->state == SSL3_ST_CW_CLNT_HELLO_B + && TLS1_get_version(s) > TLS1_VERSION) + *(p++) = 0x1; + else + *(p++)=s->version&0xff; /* field where we are to write out packet length */ plen=p; -- 2.25.1