PR: 2171

Submitted by: Tomas Mraz <tmraz@redhat.com>

Since SSLv2 doesn't support renegotiation at all don't reject it if
legacy renegotiation isn't enabled.

Also can now use SSL2 compatible client hello because RFC5746 supports it.

diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 53e080ee8e9dce286807efe449f97e635c1b73d9..c4d8bf2eb3e4c5f7236369cfdc0c08984fed82d1 100644 (file)
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -305,9 +305,6 @@ static int ssl23_client_hello(SSL *s)
                        ssl2_compat = 0;
                if (s->tlsext_status_type != -1)
                        ssl2_compat = 0;
-               if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
-                       ssl2_compat = 0;
-               
 #ifdef TLSEXT_TYPE_opaque_prf_input
                if (s->ctx->tlsext_opaque_prf_input_callback != 0 || s->tlsext_opaque_prf_input != NULL)
                        ssl2_compat = 0;

diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index fe479fcbcb16cfd0d24267d9646ce54f27a6fc6a..836dd1f1cf4b9137961436e8b1176343f612a242 100644 (file)
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -495,11 +495,6 @@ int ssl23_get_client_hello(SSL *s)
                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
                goto err;
 #else
-               if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
-                       {
-                       SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
-                       goto err;
-                       }
                /* we are talking sslv2 */
                /* we need to clean up the SSLv3/TLSv1 setup and put in the
                 * sslv2 stuff. */