summaryrefslogtreecommitdiff
path: root/extra
diff options
context:
space:
mode:
authorVladislav Vaintroub <wlad@mariadb.com>2018-03-14 14:35:27 +0000
committerVladislav Vaintroub <wlad@mariadb.com>2018-03-14 14:35:27 +0000
commit0943b33de3daa0fcbf58803be8e991941de63218 (patch)
tree2f8471af8b286571d2ce612a07b83f135e92cae4 /extra
parent926edd48e1e67bf9a315b3602638a76c4c445ef6 (diff)
downloadmariadb-git-0943b33de3daa0fcbf58803be8e991941de63218.tar.gz
MDEV-12190 YASSL isn't able to negotiate TLS version correctly
Backport from 10.2
Diffstat (limited to 'extra')
-rw-r--r--extra/yassl/src/handshake.cpp10
1 files changed, 10 insertions, 0 deletions
diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp
index aa2de39333c..bb8e3791552 100644
--- a/extra/yassl/src/handshake.cpp
+++ b/extra/yassl/src/handshake.cpp
@@ -787,6 +787,16 @@ int DoProcessReply(SSL& ssl)
needHdr = true;
else {
buffer >> hdr;
+ /*
+ According to RFC 4346 (see "7.4.1.3. Server Hello"), the Server Hello
+ packet needs to specify the highest supported TLS version, but not
+ higher than what client requests. YaSSL highest supported version is
+ TLSv1.1 (=3.2) - if the client requests a higher version, downgrade it
+ here to 3.2.
+ See also Appendix E of RFC 5246 (TLS 1.2)
+ */
+ if (hdr.version_.major_ == 3 && hdr.version_.minor_ > 2)
+ hdr.version_.minor_ = 2;
ssl.verifyState(hdr);
}