diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2010-02-17 18:37:47 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2010-02-17 18:37:47 +0000 |
| commit | 442ac8d25993b2fbdd801cae79a2e78612cfaf80 (patch) | |
| tree | b19557b5ae3392b7f346eb2dbd2a9b142165c5c7 /ssl | |
| parent | 657b02d0cfa4a84765dc20b0e5eab20cb93988bb (diff) | |
Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as
initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/t1_lib.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index ce24f89746..8b53112770 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -705,8 +705,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in * which doesn't support RI so for the immediate future tolerate RI * absence on initial connect only. */ - if (!renegotiate_seen && - (s->new_session || !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) + if (!renegotiate_seen + && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { *al = SSL_AD_HANDSHAKE_FAILURE; |