From ba2fd95037b9550e3efb4547034951151cc0e273 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 23 Apr 2018 17:14:47 +0100 Subject: [PATCH] In a reneg use the same client_version we used last time In 1.0.2 and below we always send the same client_version in a reneg ClientHello that we sent the first time around, regardless of what version eventually gets negotiated. According to a comment in statem_clnt.c this is a workaround for some buggy servers that choked if we changed the version used in the RSA encrypted premaster secret. In 1.1.0+ this behaviour no longer occurs. This restores the original behaviour. Fixes #1651 Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6060) --- ssl/ssl_locl.h | 3 +++ ssl/statem/statem_lib.c | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index d86bd7e8e2..85c754968c 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -347,6 +347,9 @@ /* we have used 0000003f - 26 bits left to go */ +# define SSL_IS_FIRST_HANDSHAKE(S) ((s)->s3->tmp.finish_md_len == 0 \ + || (s)->s3->tmp.peer_finish_md_len == 0) + /* Check if an SSL structure is using DTLS */ # define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) /* See if we need explicit IV */ diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 36d410bdf7..c4d4f26f7e 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1073,6 +1073,13 @@ int ssl_set_client_hello_version(SSL *s) { int ver_min, ver_max, ret; + /* + * In a renegotiation we always send the same client_version that we sent + * last time, regardless of which version we eventually negotiated. + */ + if (!SSL_IS_FIRST_HANDSHAKE(s)) + return 0; + ret = ssl_get_client_min_max_version(s, &ver_min, &ver_max); if (ret != 0) -- 2.40.0