From aa695be98300c7dc7a353ed1e83b310e8465db07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 10 Apr 2015 14:12:14 +0200 Subject: [PATCH] Fix version-major intolerance again This time doing minimal changes to avoid introducing other issues. --- library/ssl_srv.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 249b5a138..cd9802a15 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -438,15 +438,20 @@ static int ssl_parse_client_hello( ssl_context *ssl ) buf[1], buf[2] ) ); /* - * SSLv3 Client Hello + * SSLv3/TLS Client Hello * * Record layer: * 0 . 0 message type * 1 . 2 protocol version * 3 . 4 message length */ + + /* According to RFC 5246 Appendix E.1, the version here is typically + * "{03,00}, the lowest version number supported by the client, [or] the + * value of ClientHello.client_version", so the only meaningful check here + * is the major version shouldn't be less than 3 */ if( buf[0] != SSL_MSG_HANDSHAKE || - buf[1] != SSL_MAJOR_VERSION_3 ) + buf[1] < SSL_MAJOR_VERSION_3 ) { SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); @@ -503,7 +508,7 @@ static int ssl_parse_client_hello( ssl_context *ssl ) * Check the handshake type and protocol version */ if( buf[0] != SSL_HS_CLIENT_HELLO || - buf[4] != SSL_MAJOR_VERSION_3 ) + buf[4] < SSL_MAJOR_VERSION_3 ) { SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );