Don't fail the connection in SSLv3 if server selects ECDHE

ECDHE is not properly defined for SSLv3. Commit fe55c4a2 prevented ECDHE from being selected in that protocol. However, historically, servers do still select ECDHE anyway so that commit causes interoperability problems. Clients that previously worked when talking to an SSLv3 server could now fail. This commit introduces an exception which enables a client to continue in SSLv3 if the server selected ECDHE. [extended tests] Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3204)
author: Matt Caswell <matt@openssl.org> 2017-04-12 17:02:42 +0100
committer: Matt Caswell <matt@openssl.org> 2017-04-24 16:15:40 +0100
commit: 8af91fd9d08487e0dffb6ccac5f42633c964f3f0 (patch)
tree: a10e449c9918e9264f91d93e25f597ebbcaf37b5 /ssl/ssl_lib.c
parent: dd94c37a5c2f783102b125c620000b9719c662d3 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 4de2b47455..c59aa847e4 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2229,7 +2229,7 @@ STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s)
     ssl_set_client_disabled(s);
     for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
         const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
-        if (!ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED)) {
+        if (!ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) {
             if (!sk)
                 sk = sk_SSL_CIPHER_new_null();
             if (!sk)
author	Matt Caswell <matt@openssl.org>	2017-04-12 17:02:42 +0100
committer	Matt Caswell <matt@openssl.org>	2017-04-24 16:15:40 +0100
commit	8af91fd9d08487e0dffb6ccac5f42633c964f3f0 (patch)
tree	a10e449c9918e9264f91d93e25f597ebbcaf37b5 /ssl/ssl_lib.c
parent	dd94c37a5c2f783102b125c620000b9719c662d3 (diff)