New option to enable/disable connection to unpatched servers

2009-12-16 20:34:20 +00:00
parent 593a6dbe19
commit ccc3df8c33
6 changed files with 24 additions and 3 deletions
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -705,8 +705,9 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 	 * which doesn't support RI so for the immediate future tolerate RI
 	 * absence on initial connect only.
 	 */
-	if (!renegotiate_seen && s->new_session &&
-		!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+	if (!renegotiate_seen && 
+		(s->new_session || !(s->options & SSL_OP_LEGACY_SERVER_CONNECT))
+		&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
 		{
 		/* FIXME: Spec currently doesn't give alert to use */
 		*al = SSL_AD_ILLEGAL_PARAMETER;