diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2012-01-03 22:03:20 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2012-01-03 22:03:20 +0000 |
commit | 5733919dbca0b2469673a38ec4290d663d594ae4 (patch) | |
tree | 622d12ab86396ffcbf4d3bbaf053dbd2bab4880f /ssl/ssl3.h | |
parent | b333905011f450672b85a7d7bce8a71e303309c6 (diff) |
only send heartbeat extension from server if client sent one
Diffstat (limited to 'ssl/ssl3.h')
-rw-r--r-- | ssl/ssl3.h | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/ssl/ssl3.h b/ssl/ssl3.h index 93f9ead305..68a66e2b00 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h @@ -389,6 +389,17 @@ typedef struct ssl3_buffer_st #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 +/* SSL3_FLAGS_SGC_RESTART_DONE is set when we + * restart a handshake because of MS SGC and so prevents us + * from restarting the handshake in a loop. It's reset on a + * renegotiation, so effectively limits the client to one restart + * per negotiation. This limits the possibility of a DDoS + * attack where the client handshakes in a loop using SGC to + * restart. Servers which permit renegotiation can still be + * effected, but we can't prevent that. + */ +#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040 + #ifndef OPENSSL_NO_SSL_INTERN typedef struct ssl3_state_st |