The branch OpenSSL_1_0_2-stable has been updated
via 44191de234b061145a6ed14221927ec0c9c7b7bf (commit)
from fde111ba045f7c00e2fe673bf5bf161a64c2cb60 (commit)
- Log -----------------------------------------------------------------
commit 44191de234b061145a6ed14221927ec0c9c7b7bf
Author: Matt Caswell <m...@openssl.org>
Date: Thu Jun 1 10:31:56 2017 +0100
Send a protocol version alert
If we fail to negotiate a version then we should send a protocol version
alert.
Fixes #3595
Reviewed-by: Tim Hudson <t...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3598)
-----------------------------------------------------------------------
Summary of changes:
ssl/s23_clnt.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index b80d1fd..92f41dd 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -735,7 +735,35 @@ static int ssl23_get_server_hello(SSL *s)
s->version = TLS1_2_VERSION;
s->method = TLSv1_2_client_method();
} else {
+ /*
+ * Unrecognised version, we'll send a protocol version alert using
+ * our preferred version.
+ */
+ switch(s->client_version) {
+ default:
+ /*
+ * Shouldn't happen
+ * Fall through
+ */
+ case TLS1_2_VERSION:
+ s->version = TLS1_2_VERSION;
+ s->method = TLSv1_2_client_method();
+ break;
+ case TLS1_1_VERSION:
+ s->version = TLS1_1_VERSION;
+ s->method = TLSv1_1_client_method();
+ break;
+ case TLS1_VERSION:
+ s->version = TLS1_VERSION;
+ s->method = TLSv1_client_method();
+ break;
+ case SSL3_VERSION:
+ s->version = SSL3_VERSION;
+ s->method = SSLv3_client_method();
+ break;
+ }
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
goto err;
}
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
