Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

remove SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION -- openssl uses

Browse Source 
another mechanism now, and these remainders break renogotiation with
(at least) tor and postgres
This commit is contained in:
drochner 2011-07-07 18:11:18 +00:00
parent bd5f274d5d
commit 929391d8b0
4 changed files with 1 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
crypto/external/bsd/openssl/dist/ssl/s3_lib.c vendored
View File

@ -3727,9 +3727,6 @@ int ssl3_renegotiate(SSL *s)
if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
return(0);
if (!(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
return(0);
s->s3->renegotiate=1;
return(1);
}

4
crypto/external/bsd/openssl/dist/ssl/s3_pkt.c vendored
View File

@ -1108,7 +1108,6 @@ start:
if (SSL_is_init_finished(s) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) &&
!s->s3->renegotiate)
{
ssl3_renegotiate(s);
@ -1278,8 +1277,7 @@ start:
if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake)
{
if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
{
#if 0 /* worked only because C operator preferences are not as expected (and
* because this is not really needed for clients except for detecting

8
crypto/external/bsd/openssl/dist/ssl/s3_srvr.c vendored
View File

@ -877,14 +877,6 @@ int ssl3_get_client_hello(SSL *s)
#endif
STACK_OF(SSL_CIPHER) *ciphers=NULL;
if (s->new_session
&& !(s->s3->flags&SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
{
al=SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
goto f_err;
}
/* We do this so that we will respond with our native type.
* If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
* This down switching should be handled by a different method.

2
crypto/external/bsd/openssl/dist/ssl/ssl_locl.h vendored
View File

@ -459,8 +459,6 @@
#define NAMED_CURVE_TYPE 3
#endif /* OPENSSL_NO_EC */
#define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
typedef struct cert_pkey_st
{
X509 *x509;