diff options
| author |   beck <beck@openbsd.org> | 2014-04-16 18:05:55 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 2014-04-16 18:05:55 +0000 |
| commit | 900497b9d82698814a8de6c7f508f8f544542483 (patch) | |
| tree | b223ba82f6fff647ce99fa8bbf113912383a861b /lib/libssl/src/ssl/t1_lib.c | |
| parent | disentangle SRP code from TLS (diff) | |
| download | wireguard-openbsd-900497b9d82698814a8de6c7f508f8f544542483.tar.xz wireguard-openbsd-900497b9d82698814a8de6c7f508f8f544542483.zip | |
Thanks to the knobs in http://tools.ietf.org/html/rfc5746, we have a knob
to say "allow this connection to negotiate insecurely". de-fang the code
that respects this option to ignore it.
ok miod@
Diffstat (limited to 'lib/libssl/src/ssl/t1_lib.c')
| -rw-r--r-- | lib/libssl/src/ssl/t1_lib.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/lib/libssl/src/ssl/t1_lib.c b/lib/libssl/src/ssl/t1_lib.c index 417b90381b5..c4eeb7a41d2 100644 --- a/lib/libssl/src/ssl/t1_lib.c +++ b/lib/libssl/src/ssl/t1_lib.c @@ -1296,8 +1296,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, /* Need RI if renegotiating */ - if (!renegotiate_seen && s->renegotiate && - !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { + if (!renegotiate_seen && s->renegotiate) { *al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); @@ -1533,8 +1532,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, * absence on initial connect only. */ if (!renegotiate_seen - && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) - && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { + && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { *al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); |