From bd5f21a4aea1ffb59f35c1c9ccb6e591fe5b8b88 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 13 Jan 2010 19:08:02 +0000 Subject: [PATCH] Fix version handling so it can cope with a major version >3. Although it will be many years before TLS v2.0 or later appears old versions of servers have a habit of hanging around for a considerable time so best if we handle this properly now. --- CHANGES | 5 +++++ ssl/s23_srvr.c | 9 ++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 54e643f80f..00ea5eecb2 100644 --- a/CHANGES +++ b/CHANGES @@ -881,6 +881,11 @@ Changes between 0.9.8l (?) and 0.9.8m (?) [xx XXX xxxx] + *) Handle TLS versions 2.0 and later properly and correctly use the + highest version of TLS/SSL supported. Although TLS >= 2.0 is some way + off ancient servers have a habit of sticking around for a while... + [Steve Henson] + *) Modify compression code so it frees up structures without using the ex_data callbacks. This works around a problem where some applications call CRYPTO_free_all_ex_data() before application exit (e.g. when diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 03efdf74c1..05e4e0b47b 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -323,7 +323,7 @@ int ssl23_get_client_hello(SSL *s) (p[1] == SSL3_VERSION_MAJOR) && (p[5] == SSL3_MT_CLIENT_HELLO) && ((p[3] == 0 && p[4] < 5 /* silly record length? */) - || (p[9] == p[1]))) + || (p[9] >= p[1]))) { /* * SSLv3 or tls1 header @@ -347,6 +347,13 @@ int ssl23_get_client_hello(SSL *s) v[1] = TLS1_VERSION_MINOR; #endif } + /* if major version number > 3 set minor to a value + * which will use the highest version 3 we support. + * If TLS 2.0 ever appears we will need to revise + * this.... + */ + else if (p[9] > SSL3_VERSION_MAJOR) + v[1]=0xff; else v[1]=p[10]; /* minor version according to client_version */ if (v[1] >= TLS1_VERSION_MINOR) -- 2.25.1