From: Dr. Stephen Henson <steve@openssl.org>
Date: Tue, 16 Feb 2010 14:19:42 +0000 (+0000)
Subject: PR: 2171
X-Git-Tag: OpenSSL_0_9_8m~13
X-Git-Url: https://git.openssl.org/gitweb/?a=commitdiff_plain;h=b50ef8b21668c8fbd83771808f2c102b966d3408;p=openssl.git

PR: 2171
Submitted by: Tomas Mraz <tmraz@redhat.com>

Since SSLv2 doesn't support renegotiation at all don't reject it if
legacy renegotiation isn't enabled.

Also can now use SSL2 compatible client hello because RFC5746 supports it.
---

diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 70425997df..de0238935a 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -235,8 +235,6 @@ static int ssl23_client_hello(SSL *s)
 			ssl2_compat = 0;
 		if (s->tlsext_status_type != -1)
 			ssl2_compat = 0;
-		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
-			ssl2_compat = 0;
 		}
 #endif
 
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index a3fc34d64a..be05911e96 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -493,11 +493,6 @@ int ssl23_get_client_hello(SSL *s)
 		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
 		goto err;
 #else
-		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
-			{
-			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
-			goto err;
-			}
 		/* we are talking sslv2 */
 		/* we need to clean up the SSLv3/TLSv1 setup and put in the
 		 * sslv2 stuff. */