Fix no-ssl3 configuration option

CVE-2014-3568 Reviewed-by: Emilia Kasper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Geoff Thorpe <geoff@openssl.org> 2014-10-15 03:25:50 -0400
committer: Geoff Thorpe <geoff@openssl.org> 2014-10-15 08:46:57 -0400
commit: cd332a07503bd9771595de87e768179f81715704 (patch)
tree: eb97ec8ac78cb3f51009c3585e3297e3b89d0285 /ssl/s23_clnt.c
parent: 2ed80d14d7159de7b52c7720128459e8c24a94d5 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 910682d327..123120868a 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -72,9 +72,11 @@ static SSL_METHOD *ssl23_get_client_method(int ver)
 	if (ver == SSL2_VERSION)
 		return(SSLv2_client_method());
 #endif
+#ifndef OPENSSL_NO_SSL3
 	if (ver == SSL3_VERSION)
 		return(SSLv3_client_method());
-	else if (ver == TLS1_VERSION)
+#endif
+	if (ver == TLS1_VERSION)
 		return(TLSv1_client_method());
 	else
 		return(NULL);
@@ -533,6 +535,7 @@ static int ssl23_get_server_hello(SSL *s)
 		{
 		/* we have sslv3 or tls1 (server hello or alert) */
 
+#ifndef OPENSSL_NO_SSL3
 		if ((p[2] == SSL3_VERSION_MINOR) &&
 			!(s->options & SSL_OP_NO_SSLv3))
 			{
@@ -547,7 +550,9 @@ static int ssl23_get_server_hello(SSL *s)
 			s->version=SSL3_VERSION;
 			s->method=SSLv3_client_method();
 			}
-		else if ((p[2] == TLS1_VERSION_MINOR) &&
+		else
+#endif
+		if ((p[2] == TLS1_VERSION_MINOR) &&
 			!(s->options & SSL_OP_NO_TLSv1))
 			{
 			s->version=TLS1_VERSION;
author	Geoff Thorpe <geoff@openssl.org>	2014-10-15 03:25:50 -0400
committer	Geoff Thorpe <geoff@openssl.org>	2014-10-15 08:46:57 -0400
commit	cd332a07503bd9771595de87e768179f81715704 (patch)
tree	eb97ec8ac78cb3f51009c3585e3297e3b89d0285 /ssl/s23_clnt.c
parent	2ed80d14d7159de7b52c7720128459e8c24a94d5 (diff)