SNI is a TLS extension and requires at least TLSv1.0 or later, however
the version in the record layer may be SSLv3, not necessarily TLSv1.0.
GnuTLS for example does this.
Relax the record layer version check in smp_fetch_ssl_hello_sni() to
allow fetching SNI values from clients indicating SSLv3 in the record
layer (maintaining the TLSv1.0+ check in the actual handshake version).
This was reported and analyzed by Pravin Tatti.
---
src/payload.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/payload.c b/src/payload.c
index b806e08..4057f6f 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -285,10 +285,10 @@ smp_fetch_ssl_hello_sni(struct proxy *px, struct session
*s, void *l7, unsigned
if (*data != 0x16)
goto not_ssl_hello;
- /* Check for TLSv1 or later (SSL version >= 3.1) */
+ /* Check for SSLv3 or later (SSL version >= 3.0) in the record layer*/
if (bleft < 3)
goto too_short;
- if (data[1] < 0x03 || data[2] < 0x01)
+ if (data[1] < 0x03)
goto not_ssl_hello;
if (bleft < 5)
--
1.7.9.5
