PR: 2171

Submitted by: Tomas Mraz <tmraz@redhat.com> Since SSLv2 doesn't support renegotiation at all don't reject it if legacy renegotiation isn't enabled. Also can now use SSL2 compatible client hello because RFC5746 supports it.
author: Dr. Stephen Henson <steve@openssl.org> 2010-02-16 14:21:11 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2010-02-16 14:21:11 +0000
commit: 8d934c2585b2938344af328799286fd2526b579d (patch)
tree: 060f31650cbd529d71cc2d6b6ec430ddb3a89c42 /ssl
parent: 1458b931ebfd9973643dc57e7d02a71749d0b910 (diff)
2 files changed, 0 insertions, 8 deletions
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index b2a3eb02fb..e6f9bf952a 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -311,9 +311,6 @@ static int ssl23_client_hello(SSL *s)
 			ssl2_compat = 0;
 		if (s->tlsext_status_type != -1)
 			ssl2_compat = 0;
-		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
-			ssl2_compat = 0;
-		
 #ifdef TLSEXT_TYPE_opaque_prf_input
 		if (s->ctx->tlsext_opaque_prf_input_callback != 0 || s->tlsext_opaque_prf_input != NULL)
 			ssl2_compat = 0;
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 05e4e0b47b..390b99bf56 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -509,11 +509,6 @@ int ssl23_get_client_hello(SSL *s)
 		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
 		goto err;
 #else
-		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
-			{
-			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
-			goto err;
-			}
 		/* we are talking sslv2 */
 		/* we need to clean up the SSLv3/TLSv1 setup and put in the
 		 * sslv2 stuff. */
author	Dr. Stephen Henson <steve@openssl.org>	2010-02-16 14:21:11 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2010-02-16 14:21:11 +0000
commit	8d934c2585b2938344af328799286fd2526b579d (patch)
tree	060f31650cbd529d71cc2d6b6ec430ddb3a89c42 /ssl
parent	1458b931ebfd9973643dc57e7d02a71749d0b910 (diff)