Don't advertise ECC ciphersuits in SSLv2 compatible client hello.
authorTomas Mraz <tmraz@redhat.com>
Fri, 27 Jun 2014 15:49:22 +0000 (16:49 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 27 Jun 2014 15:52:10 +0000 (16:52 +0100)
PR#3374
(cherry picked from commit 0436369fccd128cb7f6a8538d5fed1c876c437af)

ssl/s23_lib.c

index 3bf728318a4cec530eb25d41b05e7b83cebe817b..f3c29d1dde61ec93d6e3fce69853d53539769e73 100644 (file)
@@ -107,6 +107,13 @@ int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
        long l;
 
        /* We can write SSLv2 and SSLv3 ciphers */
+       /* but no ECC ciphers */
+       if (c->algorithm_mkey == SSL_kECDHr ||
+               c->algorithm_mkey == SSL_kECDHe ||
+               c->algorithm_mkey == SSL_kEECDH ||
+               c->algorithm_auth == SSL_aECDH ||
+               c->algorithm_auth == SSL_aECDSA)
+               return 0;
        if (p != NULL)
                {
                l=c->id;