Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as

initial connection to unpatched servers. There are no additional security concerns in doing this as clients don't see renegotiation during an attack anyway.
author: Dr. Stephen Henson <steve@openssl.org> 2010-02-17 18:37:47 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2010-02-17 18:37:47 +0000
commit: 442ac8d25993b2fbdd801cae79a2e78612cfaf80 (patch)
tree: b19557b5ae3392b7f346eb2dbd2a9b142165c5c7 /ssl/t1_lib.c
parent: 657b02d0cfa4a84765dc20b0e5eab20cb93988bb (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index ce24f89746..8b53112770 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -705,8 +705,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 	 * which doesn't support RI so for the immediate future tolerate RI
 	 * absence on initial connect only.
 	 */
-	if (!renegotiate_seen && 
-		(s->new_session || !(s->options & SSL_OP_LEGACY_SERVER_CONNECT))
+	if (!renegotiate_seen
+		&& !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
 		&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
 		{
 		*al = SSL_AD_HANDSHAKE_FAILURE;
author	Dr. Stephen Henson <steve@openssl.org>	2010-02-17 18:37:47 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2010-02-17 18:37:47 +0000
commit	442ac8d25993b2fbdd801cae79a2e78612cfaf80 (patch)
tree	b19557b5ae3392b7f346eb2dbd2a9b142165c5c7 /ssl/t1_lib.c
parent	657b02d0cfa4a84765dc20b0e5eab20cb93988bb (diff)