Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as initial connection to unpatched servers. There are no additional security concerns in doing this as clients don't see renegotiation during an attack anyway.

commit: c2c49969e236058090c081e591272ea325ca49b6 [log] [tgz]
author: Dr. Stephen Henson <steve@openssl.org> Wed Feb 17 18:38:31 2010 +0000
committer: Dr. Stephen Henson <steve@openssl.org> Wed Feb 17 18:38:31 2010 +0000
tree: 09c3265bba655b803bb116a30ad64f23e35a3c2c
parent: 47e0a1c335295d7548ecd1860954ee4f988d9804 [diff] [blame]
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index b50d2a5..9ee7e7d 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c

@@ -1157,8 +1157,8 @@
 	 * which doesn't support RI so for the immediate future tolerate RI
 	 * absence on initial connect only.
 	 */
-	if (!renegotiate_seen && 
-		(s->new_session || !(s->options & SSL_OP_LEGACY_SERVER_CONNECT))
+	if (!renegotiate_seen
+		&& !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
 		&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
 		{
 		*al = SSL_AD_HANDSHAKE_FAILURE;
commit	c2c49969e236058090c081e591272ea325ca49b6	[log] [tgz]
author	Dr. Stephen Henson <steve@openssl.org>	Wed Feb 17 18:38:31 2010 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	Wed Feb 17 18:38:31 2010 +0000
tree	09c3265bba655b803bb116a30ad64f23e35a3c2c
parent	47e0a1c335295d7548ecd1860954ee4f988d9804 [diff] [blame]