generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

If legacy renegotiation is not permitted then send a fatal alert if a patched

Browse Source 
server attempts to renegotiate with an unpatched client.
This commit is contained in:
Dr. Stephen Henson 2010-01-22 18:49:34 +00:00
parent 3243698f1d
commit 3a88efd48c
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ssl/s3_srvr.c
View File

@ -271,6 +271,18 @@ int ssl3_accept(SSL *s)
s->state=SSL3_ST_SR_CLNT_HELLO_A; s->state=SSL3_ST_SR_CLNT_HELLO_A;
s->ctx->stats.sess_accept++; s->ctx->stats.sess_accept++;
} }
else if (!s->s3->send_connection_binding &&
!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
{
/* Server attempting to renegotiate with
* client that doesn't support secure
* renegotiation.
*/
SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
ret = -1;
goto end;
}
else else
{ {
/* s->state == SSL_ST_RENEGOTIATE, /* s->state == SSL_ST_RENEGOTIATE,