projects / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Don't alow TLS v1.0 ciphersuites for SSLv3
[openssl.git] / ssl / t1_lib.c
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 9607c2e02aec9f1039e7a39e9eceaab1f5ea7edf..ffc95d848b55515a3a3382080e006b02e9a6de10 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -441,7 +441,7 @@ static int tls1_get_curvelist(SSL *s, int sess,
             pcurveslen = s->tlsext_ellipticcurvelist_length;
         }
         if (!*pcurves) {
-            if (!s->server || (s->cert && s->cert->ecdh_tmp_auto)) {
+            if (!s->server || s->cert->ecdh_tmp_auto) {
                 *pcurves = eccurves_auto;
                 pcurveslen = sizeof(eccurves_auto);
             } else {
@@ -1094,6 +1094,9 @@ void ssl_set_client_disabled(SSL *s)
         s->s3->tmp.mask_ssl = SSL_TLSV1_2;
     else
         s->s3->tmp.mask_ssl = 0;
+    /* Disable TLS 1.0 ciphers if using SSL v3 */
+    if (s->client_version == SSL3_VERSION)
+        s->s3->tmp.mask_ssl |= SSL_TLSV1;
     ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
     /*
      * Disable static DH if we don't include any appropriate signature
Unnamed repository; edit this file 'description' to name the repository.