ret+=size_str;
}
- /* Add the renegotiation option: TODOEKR switch */
- {
+ /* Add RI if renegotiating */
+ if (s->new_session)
+ {
int el;
if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
if (!renegotiate_seen && s->new_session &&
!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
{
- /* FIXME: Spec currently doesn't give alert to use */
- *al = SSL_AD_ILLEGAL_PARAMETER;
+ *al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
return 0;
* which doesn't support RI so for the immediate future tolerate RI
* absence on initial connect only.
*/
- if (!renegotiate_seen && s->new_session &&
- !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ if (!renegotiate_seen
+ && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
+ && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
{
- /* FIXME: Spec currently doesn't give alert to use */
- *al = SSL_AD_ILLEGAL_PARAMETER;
+ *al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
return 0;