PR: 1629

Submitted by: Kaspar Brand <ossl-rt@velox.ch>
Approved by: steve@openssl.org

Don't use extensions if using SSLv3: this chokes some broken servers.

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 3c6907f608faeef8ed2fd12d283baa1550311dbf..bd849ac593a4344357729de3cb03f861ca02fbb3 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -275,6 +275,10 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
        int extdatalen=0;
        unsigned char *ret = p;
 
+       /* don't add extensions for SSLv3 */
+       if (s->client_version == SSL3_VERSION)
+               return p;
+
        ret+=2;
 
        if (ret>=limit) return NULL; /* this really never occurs, but ... */
@@ -472,6 +476,10 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
        int extdatalen=0;
        unsigned char *ret = p;
 
+       /* don't add extensions for SSLv3 */
+       if (s->version == SSL3_VERSION)
+               return p;
+       
        ret+=2;
        if (ret>=limit) return NULL; /* this really never occurs, but ... */