aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls/tls_client.cpp
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2017-11-28 14:27:36 -0500
committerJack Lloyd <[email protected]>2017-11-28 14:27:36 -0500
commit5205df88f44b3d52854688ae790dafe33811ec4b (patch)
tree5b8be66a0968a5ee6c118345d25770afbcde879a /src/lib/tls/tls_client.cpp
parentbf59cc53a768cd0ea1deb78a9a75c3bc92d466e6 (diff)
Add an explicit catch for a server trying to negotiate SSLv3
This was already caught with the policy check later but it's better to be explicit. (And in theory an application might implement their policy version check to be "return true", which would lead to us actually attempting to negotiate SSLv3).
Diffstat (limited to 'src/lib/tls/tls_client.cpp')
-rw-r--r--src/lib/tls/tls_client.cpp8
1 files changed, 7 insertions, 1 deletions
diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp
index ce19f04c9..0e620a279 100644
--- a/src/lib/tls/tls_client.cpp
+++ b/src/lib/tls/tls_client.cpp
@@ -330,7 +330,13 @@ void Client::process_handshake_msg(const Handshake_State* active_state,
if(state.version() > state.client_hello()->version())
{
throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
- "Server replied with later version than in hello");
+ "Server replied with later version than client offered");
+ }
+
+ if(state.version().major_version() == 3 && state.version().minor_version() == 0)
+ {
+ throw TLS_Exception(Alert::PROTOCOL_VERSION,
+ "Server attempting to negotiate SSLv3 which is not supported");
}
if(!policy().acceptable_protocol_version(state.version()))