diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2012-04-17 14:41:23 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2012-04-17 14:41:23 +0000 |
commit | 89bd25eb26bbc2ebceb4cd892e7453337804820c (patch) | |
tree | eb7f31e3247c005d9a72adb7ba264be475fdd20c /ssl | |
parent | 4a1cf50187659e60c5867ecbbc36e37b2605d2c3 (diff) |
Additional workaround for PR#2771
If OPENSSL_MAX_TLS1_2_CIPHER_LENGTH is set then limit the size of client
ciphersuites to this value. A value of 50 should be sufficient.
Document workarounds in CHANGES.
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/s23_clnt.c | 9 | ||||
-rw-r--r-- | ssl/s3_clnt.c | 9 |
2 files changed, 18 insertions, 0 deletions
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 76f1057b5b..0f2e19e135 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -469,6 +469,15 @@ static int ssl23_client_hello(SSL *s) SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); return -1; } +#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH + /* Some servers hang if client hello > 256 bytes + * as hack workaround chop number of supported ciphers + * to keep it well below this if we use TLS v1.2 + */ + if (TLS1_get_version(s) >= TLS1_2_VERSION + && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) + i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; +#endif s2n(i,p); p+=i; diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 4511a914a4..b80d052e1f 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -755,6 +755,15 @@ int ssl3_client_hello(SSL *s) SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); goto err; } +#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH + /* Some servers hang if client hello > 256 bytes + * as hack workaround chop number of supported ciphers + * to keep it well below this if we use TLS v1.2 + */ + if (TLS1_get_version(s) >= TLS1_2_VERSION + && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) + i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; +#endif s2n(i,p); p+=i; |