diff options
author | Vladislav Vaintroub <wlad@mariadb.com> | 2018-03-14 14:35:27 +0000 |
---|---|---|
committer | Vladislav Vaintroub <wlad@mariadb.com> | 2018-03-14 14:35:27 +0000 |
commit | 0943b33de3daa0fcbf58803be8e991941de63218 (patch) | |
tree | 2f8471af8b286571d2ce612a07b83f135e92cae4 /extra | |
parent | 926edd48e1e67bf9a315b3602638a76c4c445ef6 (diff) | |
download | mariadb-git-0943b33de3daa0fcbf58803be8e991941de63218.tar.gz |
MDEV-12190 YASSL isn't able to negotiate TLS version correctly
Backport from 10.2
Diffstat (limited to 'extra')
-rw-r--r-- | extra/yassl/src/handshake.cpp | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp index aa2de39333c..bb8e3791552 100644 --- a/extra/yassl/src/handshake.cpp +++ b/extra/yassl/src/handshake.cpp @@ -787,6 +787,16 @@ int DoProcessReply(SSL& ssl) needHdr = true; else { buffer >> hdr; + /* + According to RFC 4346 (see "7.4.1.3. Server Hello"), the Server Hello + packet needs to specify the highest supported TLS version, but not + higher than what client requests. YaSSL highest supported version is + TLSv1.1 (=3.2) - if the client requests a higher version, downgrade it + here to 3.2. + See also Appendix E of RFC 5246 (TLS 1.2) + */ + if (hdr.version_.major_ == 3 && hdr.version_.minor_ > 2) + hdr.version_.minor_ = 2; ssl.verifyState(hdr); } |