From f3dcc8411e518fb0835c7d72df4a58718205260d Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 24 Dec 2013 18:17:00 +0000 Subject: [PATCH] Don't change version number if session established When sending an invalid version number alert don't change the version number to the client version if a session is already established. Thanks to Marek Majkowski for additional analysis of this issue. PR#3191 --- ssl/s3_pkt.c | 2 +- ssl/s3_srvr.c | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index c4bc4e787d..96ba63262e 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -335,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length); if (version != s->version) { SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); - if ((s->version & 0xFF00) == (version & 0xFF00)) + if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash) /* Send back error using their minor version number :-) */ s->version = (unsigned short)version; al=SSL_AD_PROTOCOL_VERSION; diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index e5a8b3fbf2..52efed328a 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -958,7 +958,8 @@ int ssl3_get_client_hello(SSL *s) (s->version != DTLS1_VERSION && s->client_version < s->version)) { SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); - if ((s->client_version>>8) == SSL3_VERSION_MAJOR) + if ((s->client_version>>8) == SSL3_VERSION_MAJOR && + !s->enc_write_ctx && !s->write_hash) { /* similar to ssl3_get_record, send alert using remote version number */ s->version = s->client_version; -- 2.25.1