Skip to content

Commit ca98926

Browse files
committed
Use version in SSL_METHOD not SSL structure.
When deciding whether to use TLS 1.2 PRF and record hash algorithms use the version number in the corresponding SSL_METHOD structure instead of the SSL structure. The SSL structure version is sometimes inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already. (CVE-2013-6449)
1 parent 2ec4181 commit ca98926

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

Diff for: ssl/s3_lib.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -4286,7 +4286,7 @@ need to go to SSL_ST_ACCEPT.
42864286
long ssl_get_algorithm2(SSL *s)
42874287
{
42884288
long alg2 = s->s3->tmp.new_cipher->algorithm2;
4289-
if (TLS1_get_version(s) >= TLS1_2_VERSION &&
4289+
if (s->method->version == TLS1_2_VERSION &&
42904290
alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
42914291
return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
42924292
return alg2;

0 commit comments

Comments
 (0)