Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / c93242cab986087f06a4655d14fec18eecb7f5f4
commitc93242cab986087f06a4655d14fec18eecb7f5f4[log] [tgz]
authorLukas Tribus <luky-37@hotmail.com>Thu Nov 05 13:59:30 2015 +0100
committerWilly Tarreau <w@1wt.eu>Thu Nov 05 14:10:06 2015 +0100
treee69261ee8ee9c0aa8f7acfddbc699d249fa7619d
parentcf4fb036a47042c86c9e3138ef01a6136fd5db87 [diff]
BUG/MINOR: acl: don't use record layer in req_ssl_ver

The initial record layer version in a SSL handshake may be set to TLSv1.0
or similar for compatibility reasons, this is allowed as per RFC5246
Appendix E.1 [1]. Some implementations are Openssl [2] and NSS [3].

A related issue has been fixed some time ago in commit 57d229747
("BUG/MINOR: acl: req_ssl_sni fails with SSLv3 record version").

Fix this by using the real client hello version instead of the record
layer version.

This was reported by Julien Vehent and analyzed by Cyril Bonté.
The initial patch is from Julien Vehent as well.

This should be backported to stable series, the req_ssl_ver keyword was
first introduced in 1.3.16.

[1] https://tools.ietf.org/html/rfc5246#appendix-E.1
[2] https://github.com/openssl/openssl/commit/4a1cf50187659e60c5867ecbbc36e37b2605d2c3
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=774547
1 file changed
tree: e69261ee8ee9c0aa8f7acfddbc699d249fa7619d
  1. contrib/
  2. doc/
  3. ebtree/
  4. examples/
  5. include/
  6. src/
  7. tests/
  8. .gitignore
  9. CHANGELOG
  10. CONTRIBUTING
  11. LICENSE
  12. MAINTAINERS
  13. Makefile
  14. README
  15. ROADMAP
  16. SUBVERS
  17. VERDATE
  18. VERSION