t1_lib.c contains this comment in ssl_parse_serverhello_tlsext():
716 1.18 bodo /* Determine if we need to see RI. Strictly
speaking if we want to
717 1.18 bodo * avoid an attack we should *always* see RI
even on initial server
718 1.18 bodo * hello because the client doesn't see any
renegotiation during an
719 1.17 bodo * attack. However this would mean we could not
connect to any server
720 1.17 bodo * which doesn't support RI so for the
immediate future tolerate RI
721 1.32 bodo * absence on initial connect only.
722 1.16 bodo */
723 1.32 bodo if (!renegotiate_seen
724 1.32 bodo && !(s->options &
SSL_OP_LEGACY_SERVER_CONNECT)
725 1.32 bodo && !(s->options &
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
726 1.32 bodo {
However, after Steve's commit [*] which relaxed the check the "initial
only" is no longer true since it now allows any Server Hello to not
contain RI.
v.
[*] the comment for the commit in revision 1.13.2.26 said this:
Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as
initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.
and did this:
708,709c708,709
< if (!renegotiate_seen &&
< (s->new_session || !(s->options & SSL_OP_LEGACY_SERVER_CONNECT))
---
> if (!renegotiate_seen
> && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
