Fix no-ssl3 configuration option

CVE-2014-3568 Reviewed-by: Emilia Kasper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Geoff Thorpe <geoff@openssl.org> 2014-10-15 03:25:50 -0400
committer: Geoff Thorpe <geoff@openssl.org> 2014-10-15 08:56:16 -0400
commit: 62f45cc27d07187b59551e4fad3db4e52ea73f2c (patch)
tree: 862c736ca96f8c84dfdbb12fca945189b9b42c9e /ssl/s23_clnt.c
parent: 748270554824d2a51d1718f52a8d3ab34116bbfb (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index fa58862ba1..42c3d6861f 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -125,9 +125,11 @@ static const SSL_METHOD *ssl23_get_client_method(int ver)
 	if (ver == SSL2_VERSION)
 		return(SSLv2_client_method());
 #endif
+#ifndef OPENSSL_NO_SSL3
 	if (ver == SSL3_VERSION)
 		return(SSLv3_client_method());
-	else if (ver == TLS1_VERSION)
+#endif
+	if (ver == TLS1_VERSION)
 		return(TLSv1_client_method());
 	else if (ver == TLS1_1_VERSION)
 		return(TLSv1_1_client_method());
@@ -714,6 +716,7 @@ static int ssl23_get_server_hello(SSL *s)
 		{
 		/* we have sslv3 or tls1 (server hello or alert) */
 
+#ifndef OPENSSL_NO_SSL3
 		if ((p[2] == SSL3_VERSION_MINOR) &&
 			!(s->options & SSL_OP_NO_SSLv3))
 			{
@@ -728,7 +731,9 @@ static int ssl23_get_server_hello(SSL *s)
 			s->version=SSL3_VERSION;
 			s->method=SSLv3_client_method();
 			}
-		else if ((p[2] == TLS1_VERSION_MINOR) &&
+		else
+#endif
+		if ((p[2] == TLS1_VERSION_MINOR) &&
 			!(s->options & SSL_OP_NO_TLSv1))
 			{
 			s->version=TLS1_VERSION;
author	Geoff Thorpe <geoff@openssl.org>	2014-10-15 03:25:50 -0400
committer	Geoff Thorpe <geoff@openssl.org>	2014-10-15 08:56:16 -0400
commit	62f45cc27d07187b59551e4fad3db4e52ea73f2c (patch)
tree	862c736ca96f8c84dfdbb12fca945189b9b42c9e /ssl/s23_clnt.c
parent	748270554824d2a51d1718f52a8d3ab34116bbfb (diff)