From 3e8e12a6b6b4e8583e45a66d1a269f424182ddf0 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 18 Nov 2009 15:09:35 +0000 Subject: [PATCH] Servers can't end up talking SSLv2 with legacy renegotiation disabled --- ssl/s23_srvr.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 9d5481cd0e..773c0e38d8 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -488,6 +488,11 @@ int ssl23_get_client_hello(SSL *s) SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); goto err; #else + if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + { + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + goto err; + } /* we are talking sslv2 */ /* we need to clean up the SSLv3/TLSv1 setup and put in the * sslv2 stuff. */ -- 2.25.1