PR: 2153, 2125

[openssl.git] / ssl / s23_srvr.c

diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 9d5481cd0e020c07a150cf04f70e4a76411c2b41..fe479fcbcb16cfd0d24267d9646ce54f27a6fc6a 100644 (file)
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -315,7 +315,7 @@ int ssl23_get_client_hello(SSL *s)
                         (p[1] == SSL3_VERSION_MAJOR) &&
                         (p[5] == SSL3_MT_CLIENT_HELLO) &&
                         ((p[3] == 0 && p[4] < 5 /* silly record length? */)
-                               || (p[9] == p[1])))
+                               || (p[9] >= p[1])))
                        {
                        /*
                         * SSLv3 or tls1 header
@@ -339,6 +339,13 @@ int ssl23_get_client_hello(SSL *s)
                                v[1] = TLS1_VERSION_MINOR;
 #endif
                                }
+                       /* if major version number > 3 set minor to a value
+                        * which will use the highest version 3 we support.
+                        * If TLS 2.0 ever appears we will need to revise
+                        * this....
+                        */
+                       else if (p[9] > SSL3_VERSION_MAJOR)
+                               v[1]=0xff;
                        else
                                v[1]=p[10]; /* minor version according to client_version */
                        if (v[1] >= TLS1_VERSION_MINOR)
@@ -488,6 +495,11 @@ int ssl23_get_client_hello(SSL *s)
                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
                goto err;
 #else
+               if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+                       {
+                       SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+                       goto err;
+                       }
                /* we are talking sslv2 */
                /* we need to clean up the SSLv3/TLSv1 setup and put in the
                 * sslv2 stuff. */