Skip to content

Commit

Permalink
Don't change version number if session established
Browse files Browse the repository at this point in the history
When sending an invalid version number alert don't change the
version number to the client version if a session is already
established.

Thanks to Marek Majkowski for additional analysis of this issue.

PR#3191
  • Loading branch information
snhenson committed Jan 2, 2014
1 parent 1c2c5e4 commit f3dcc84
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 2 deletions.
2 changes: 1 addition & 1 deletion ssl/s3_pkt.c
Original file line number Diff line number Diff line change
Expand Up @@ -335,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
if (version != s->version)
{
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
if ((s->version & 0xFF00) == (version & 0xFF00))
if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)
/* Send back error using their minor version number :-) */
s->version = (unsigned short)version;
al=SSL_AD_PROTOCOL_VERSION;
Expand Down
3 changes: 2 additions & 1 deletion ssl/s3_srvr.c
Original file line number Diff line number Diff line change
Expand Up @@ -958,7 +958,8 @@ int ssl3_get_client_hello(SSL *s)
(s->version != DTLS1_VERSION && s->client_version < s->version))
{
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
if ((s->client_version>>8) == SSL3_VERSION_MAJOR &&
!s->enc_write_ctx && !s->write_hash)
{
/* similar to ssl3_get_record, send alert using remote version number */
s->version = s->client_version;
Expand Down

0 comments on commit f3dcc84

Please sign in to comment.