diff --git a/CHANGES b/CHANGES index a8666781a3..c494b9281f 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,11 @@ Changes between 0.9.6j and 0.9.6k [xx XXX 2003] + *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional + extra data after the compression methods not only for TLS 1.0 + but also for SSL 3.0 (as required by the specification). + [Bodo Moeller; problem pointed out by Matthias Loepfe] + *) Change X509_certificate_type() to mark the key as exported/exportable when it's 512 *bits* long, not 512 bytes. [Richard Levitte] diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 3f4818e888..bd9f7dc209 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -828,6 +828,9 @@ static int ssl3_get_client_hello(SSL *s) } /* TLS does not mind if there is extra stuff */ +#if 0 /* SSL 3.0 does not mind either, so we should disable this test + * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, + * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */ if (s->version == SSL3_VERSION) { if (p < (d+n)) @@ -839,6 +842,7 @@ static int ssl3_get_client_hello(SSL *s) goto f_err; } } +#endif /* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must * pick a cipher */