From 4a1cf50187659e60c5867ecbbc36e37b2605d2c3 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Tue, 17 Apr 2012 13:20:19 +0000
Subject: Partial workaround for PR#2771.

Some servers hang when presented with a client hello record length exceeding
255 bytes but will work with longer client hellos if the TLS record version
in client hello does not exceed TLS v1.0. Unfortunately this doesn't fix all
cases...
---
 ssl/s23_clnt.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'ssl/s23_clnt.c')

diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 13412f26aa..76f1057b5b 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -523,8 +523,13 @@ static int ssl23_client_hello(SSL *s)
 			d=buf;
 			*(d++) = SSL3_RT_HANDSHAKE;
 			*(d++) = version_major;
-			*(d++) = version_minor; /* arguably we should send the *lowest* suported version here
-			                         * (indicating, e.g., TLS 1.0 in "SSL 3.0 format") */
+			/* Some servers hang if we use long client hellos
+			 * and a record number > TLS 1.0.
+			 */
+			if (TLS1_get_client_version(s) > TLS1_VERSION)
+				*(d++) = 1;
+			else
+				*(d++) = version_minor;
 			s2n((int)l,d);
 
 			/* number of bytes to write */
-- 
cgit v1.2.3