wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 11:17:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

adds support for TLS downgrading against buggy TLS servers.

Browse Source 
reference: RFC 5246 - TLS 1.2 - Appendix E.1:

   Note: some server implementations are known to implement version
   negotiation incorrectly.  For example, there are buggy TLS 1.0
   servers that simply close the connection when the client offers a
   version newer than TLS 1.0.  Also, it is known that some servers will
   refuse the connection if any TLS extensions are included in
   ClientHello.  Interoperability with such buggy servers is a complex
   topic beyond the scope of this document, and may require multiple
   connection attempts by the client.

   Earlier versions of the TLS specification were not fully clear on
   what the record layer version number (TLSPlaintext.version) should
   contain when sending ClientHello (i.e., before it is known which
   version of the protocol will be employed).  Thus, TLS servers
   compliant with this specification MUST accept any value {03,XX} as
   the record layer version number for ClientHello.

   TLS clients that wish to negotiate with older servers MAY send any
   value {03,XX} as the record layer version number.  Typical values
   would be {03,00}, the lowest version number supported by the client,
   and the value of ClientHello.client_version.  No single value will
   guarantee interoperability with all old servers, but this is a
   complex topic beyond the scope of this document.
This commit is contained in:
Moisés Guimarães
2015-10-27 16:05:36 -03:00
parent a42308e28a
commit 8dc154ff71
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/internal.c
View File

@ -2843,6 +2843,14 @@ static void AddRecordHeader(byte* output, word32 length, byte type, WOLFSSL* ssl
rl->pvMajor = ssl->version.major; /* type and version same in each */
rl->pvMinor = ssl->version.minor;
#ifdef WOLFSSL_ALTERNATIVE_DOWNGRADE
if (ssl->options.side == WOLFSSL_CLIENT_END
&& ssl->options.connectState == CONNECT_BEGIN
&& !ssl->options.resuming)
rl->pvMinor = ssl->options.downgrade ? ssl->options.minDowngrade
: ssl->version.minor;
#endif
if (!ssl->options.dtls)
c16toa((word16)length, rl->length);
else {