diff --git a/openssl-0.9.8g-no-extssl.patch b/openssl-0.9.8g-no-extssl.patch index 2f0407a..de00d0c 100644 --- a/openssl-0.9.8g-no-extssl.patch +++ b/openssl-0.9.8g-no-extssl.patch @@ -1,17 +1,27 @@ -Skip adding tls extensions to client hello when protocol version is -not TLS. diff -up openssl-0.9.8g/ssl/t1_lib.c.no-extssl openssl-0.9.8g/ssl/t1_lib.c --- openssl-0.9.8g/ssl/t1_lib.c.no-extssl 2007-10-19 09:44:10.000000000 +0200 -+++ openssl-0.9.8g/ssl/t1_lib.c 2007-12-13 17:22:10.000000000 +0100 ++++ openssl-0.9.8g/ssl/t1_lib.c 2008-08-10 21:42:11.000000000 +0200 @@ -132,6 +132,11 @@ unsigned char *ssl_add_clienthello_tlsex int extdatalen=0; unsigned char *ret = p; + if (s->client_version != TLS1_VERSION && s->client_version != DTLS1_VERSION) -+ { ++ { + return ret; -+ } ++ } + ret+=2; if (ret>=limit) return NULL; /* this really never occurs, but ... */ +@@ -202,6 +207,11 @@ unsigned char *ssl_add_serverhello_tlsex + int extdatalen=0; + unsigned char *ret = p; + ++ if (s->version != TLS1_VERSION && s->version != DTLS1_VERSION) ++ { ++ return ret; ++ } ++ + ret+=2; + if (ret>=limit) return NULL; /* this really never occurs, but ... */ + diff --git a/openssl.spec b/openssl.spec index 7c4e1ab..a331346 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: The OpenSSL toolkit Name: openssl Version: 0.9.8g -Release: 10%{?dist} +Release: 11%{?dist} # We remove certain patented algorithms from the openssl source tarball # with the hobble-openssl script which is included below. Source: openssl-%{version}-usa.tar.bz2 @@ -368,6 +368,9 @@ rm -rf $RPM_BUILD_ROOT/%{_bindir}/openssl_fips_fingerprint %postun -p /sbin/ldconfig %changelog +* Sun Aug 10 2008 Tomas Mraz 0.9.8g-11 +- do not add tls extensions to server hello for SSLv3 either + * Mon Jun 2 2008 Joe Orton 0.9.8g-10 - move root CA bundle to ca-certificates package