- do not add tls extensions to server hello for SSLv3 either

2008-08-10 19:45:27 +00:00 · 2008-08-10 19:45:27 +00:00 · c59bdb11a0
commit c59bdb11a0
parent acba378bc3
2 changed files with 19 additions and 6 deletions
--- a/openssl-0.9.8g-no-extssl.patch
+++ b/openssl-0.9.8g-no-extssl.patch
@ -1,17 +1,27 @@
 Skip adding tls extensions to client hello when protocol version is
 not TLS.
 diff -up openssl-0.9.8g/ssl/t1_lib.c.no-extssl openssl-0.9.8g/ssl/t1_lib.c
 --- openssl-0.9.8g/ssl/t1_lib.c.no-extssl	2007-10-19 09:44:10.000000000 +0200
-+++ openssl-0.9.8g/ssl/t1_lib.c	2007-12-13 17:22:10.000000000 +0100
+++ openssl-0.9.8g/ssl/t1_lib.c	2008-08-10 21:42:11.000000000 +0200
@@ -132,6 +132,11 @@ unsigned char *ssl_add_clienthello_tlsex
 	int extdatalen=0;
 	unsigned char *ret = p;
 +	if (s->client_version != TLS1_VERSION && s->client_version != DTLS1_VERSION)
-+	{
+		{
 +		return ret;
-+	}
+		}
 +
 	ret+=2;
 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
@@ -202,6 +207,11 @@ unsigned char *ssl_add_serverhello_tlsex
 	int extdatalen=0;
 	unsigned char *ret = p;
 +	if (s->version != TLS1_VERSION && s->version != DTLS1_VERSION)
 +		{
 +		return ret;
 +		}
 +
 	ret+=2;
 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
--- a/openssl.spec
+++ b/openssl.spec
@ -22,7 +22,7 @@
 Summary: The OpenSSL toolkit
 Name: openssl
 Version: 0.9.8g
-Release: 10%{?dist}
+Release: 11%{?dist}
 # We remove certain patented algorithms from the openssl source tarball
 # with the hobble-openssl script which is included below.
 Source: openssl-%{version}-usa.tar.bz2
@ -368,6 +368,9 @@ rm -rf $RPM_BUILD_ROOT/%{_bindir}/openssl_fips_fingerprint
 %postun -p /sbin/ldconfig
 %changelog
 * Sun Aug 10 2008 Tomas Mraz <tmraz@redhat.com> 0.9.8g-11
 - do not add tls extensions to server hello for SSLv3 either
 * Mon Jun  2 2008 Joe Orton <jorton@redhat.com> 0.9.8g-10
 - move root CA bundle to ca-certificates package