there is no minimum length for session IDs
PR: 274
This commit is contained in:
Bodo Möller
parent
30c37c52c5
commit
5fef7d56ce
2 changed files with 10 additions and 7 deletions
4
CHANGES
4
CHANGES
|
|
@ -4,6 +4,10 @@
|
|||
|
||||
Changes between 0.9.6g and 0.9.6h [xx XXX xxxx]
|
||||
|
||||
*) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
|
||||
(the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
|
||||
[Bodo Moeller]
|
||||
|
||||
*) Fix race condition in SSLv3_client_method().
|
||||
[Bodo Moeller]
|
||||
|
||||
|
|
|
|||
|
|
@ -632,13 +632,12 @@ static int ssl3_get_server_hello(SSL *s)
|
|||
/* get the session-id */
|
||||
j= *(p++);
|
||||
|
||||
if(j > sizeof s->session->session_id)
|
||||
{
|
||||
al=SSL_AD_ILLEGAL_PARAMETER;
|
||||
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
|
||||
SSL_R_SSL3_SESSION_ID_TOO_LONG);
|
||||
goto f_err;
|
||||
}
|
||||
if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
|
||||
{
|
||||
al=SSL_AD_ILLEGAL_PARAMETER;
|
||||
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
|
||||
goto f_err;
|
||||
}
|
||||
|
||||
if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
|
||||
{
|
||||
|
|
|
|||
Loading…
Reference in a new issue