Simplify RI+SCSV logic:

1. Send SCSV is not renegotiating, never empty RI.
2. Send RI if renegotiating.

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index b265b4d45f247e4b85fb46f9c61239eda9125c0e..b72a97064834cd79c860bbacb1fd269364cec50f 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1370,10 +1370,9 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
                p+=j;
                }
        /* If p == q, no ciphers and caller indicates an error. Otherwise
-        * add SCSV if no extensions (i.e. SSL3 is client_version)
-        * since spec RECOMMENDS not sending both RI and SCSV.
+        * add SCSV if not renegotiating.
         */
-       if (p != q && !s->new_session && s->client_version == SSL3_VERSION)
+       if (p != q && !s->new_session)
                {
                static SSL_CIPHER scsv =
                        {

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 4eb6d13840afa45247e1d4e24decaec9ba8761ee..4cb171e6d4fa925056a7f5b4e3dfcde0e36946b0 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -316,8 +316,9 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                ret+=size_str;
                }
 
-        /* Add the renegotiation option: TODOEKR switch */
-        {
+        /* Add RI if renegotiating */
+        if (s->new_session)
+          {
           int el;
           
           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))