Disable SHA-2 ciphersuites in < TLS 1.2 connections.

(TLS 1.2 clients could end up negotiating these with an OpenSSL server with TLS 1.2 disabled, which is problematic.) Submitted by: Adam Langley
2012-04-17 15:23:03 +00:00
parent 800e1cd969
commit d3ddf0228e
2 changed files with 16 additions and 13 deletions
--- a/3
+++ b/3
@@ -291,6 +291,9 @@
  
 Changes between 1.0.1 and 1.0.1a [xx XXX xxxx]

+  *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
+     [Adam Langley]
+
  *) Workarounds for some broken servers that "hang" if a client hello
     record length exceeds 255 bytes: