diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2010-01-22 18:49:43 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2010-01-22 18:49:43 +0000 |
commit | 6899d9bbf60469c1d16c9f72d2ef0f835f0e7caf (patch) | |
tree | 1938e903622a8570f97d69763909d58ab6d2df7b /ssl | |
parent | cf876a98939e6ef0925120ffe4bfbc2bfdf74bc4 (diff) |
If legacy renegotiation is not permitted then send a fatal alert if a patched
server attempts to renegotiate with an unpatched client.
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/s3_srvr.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index a3bb3aef1e..789447e115 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -248,6 +248,18 @@ int ssl3_accept(SSL *s) s->state=SSL3_ST_SR_CLNT_HELLO_A; s->ctx->stats.sess_accept++; } + else if (!s->s3->send_connection_binding && + !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + { + /* Server attempting to renegotiate with + * client that doesn't support secure + * renegotiation. + */ + SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); + ret = -1; + goto end; + } else { /* s->state == SSL_ST_RENEGOTIATE, |