From 4d09323a632e285966c06f69281c72ecc02d196c Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 18 Nov 2009 14:45:48 +0000 Subject: [PATCH] Don't use SSLv2 compatible client hello if we don't tolerate legacy renegotiation --- ssl/s23_clnt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 20cde4f20f..53e080ee8e 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -305,6 +305,8 @@ static int ssl23_client_hello(SSL *s) ssl2_compat = 0; if (s->tlsext_status_type != -1) ssl2_compat = 0; + if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + ssl2_compat = 0; #ifdef TLSEXT_TYPE_opaque_prf_input if (s->ctx->tlsext_opaque_prf_input_callback != 0 || s->tlsext_opaque_prf_input != NULL) -- 2.25.1