Merge 5.5 into 10.0

author: Marko Mäkelä <marko.makela@mariadb.com> 2018-03-20 18:36:03 +0200
committer: Marko Mäkelä <marko.makela@mariadb.com> 2018-03-20 18:36:03 +0200
commit: 04921000594dcbdf23340850b9284fd30ccdb0fd (patch)
tree: 94a14b06efc781d8ddd12b5a9276c533c12a5868 /extra/yassl
parent: e3dd9a95e50ef2019435b01bd9e161d552673a28 (diff)
parent: 69bc3c1976ebcbe116890d9d26305fd2887ed47c (diff)
download: mariadb-git-04921000594dcbdf23340850b9284fd30ccdb0fd.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp
index 407e4092ccc..6e181a997bd 100644
--- a/extra/yassl/src/handshake.cpp
+++ b/extra/yassl/src/handshake.cpp
@@ -788,6 +788,16 @@ int DoProcessReply(SSL& ssl)
             needHdr = true;
         else {
             buffer >> hdr;
+            /*
+              According to RFC 4346 (see "7.4.1.3. Server Hello"), the Server Hello
+              packet needs to specify the highest supported TLS version, but not
+              higher than what client requests. YaSSL highest supported version is
+              TLSv1.1 (=3.2) - if the client requests a higher version, downgrade it
+              here to 3.2.
+              See also Appendix E of RFC 5246 (TLS 1.2)
+            */
+            if (hdr.version_.major_ == 3 && hdr.version_.minor_ > 2)
+              hdr.version_.minor_ = 2;
             ssl.verifyState(hdr);
         }
author	Marko Mäkelä <marko.makela@mariadb.com>	2018-03-20 18:36:03 +0200
committer	Marko Mäkelä <marko.makela@mariadb.com>	2018-03-20 18:36:03 +0200
commit	04921000594dcbdf23340850b9284fd30ccdb0fd (patch)
tree	94a14b06efc781d8ddd12b5a9276c533c12a5868 /extra/yassl
parent	e3dd9a95e50ef2019435b01bd9e161d552673a28 (diff)
parent	69bc3c1976ebcbe116890d9d26305fd2887ed47c (diff)
download	mariadb-git-04921000594dcbdf23340850b9284fd30ccdb0fd.tar.gz