From: Dr. Stephen Henson <steve@openssl.org>
Date: Wed, 18 Nov 2009 15:08:49 +0000 (+0000)
Subject: Servers can't end up talking SSLv2 with legacy renegotiation disabled
X-Git-Tag: OpenSSL_0_9_8m-beta1~50
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7f5448e3a83164ff1be1e57aefe4462db9b30c76;p=openssl

Servers can't end up talking SSLv2 with legacy renegotiation disabled
---

diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index ba06e7ae2e..73b7e610e0 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -486,6 +486,11 @@ int ssl23_get_client_hello(SSL *s)
 		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
 		goto err;
 #else
+		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+			{
+			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+			goto err;
+			}
 		/* we are talking sslv2 */
 		/* we need to clean up the SSLv3/TLSv1 setup and put in the
 		 * sslv2 stuff. */