When generating a signature in TLS 1.2, respect the request of the

counterparty by using the highest preference hash they have available for the signature type we are generating. This does mean we will do stupid things, if the counterparty is stupid (for instance some versions of GnuTLS will prefer SHA-1 over the SHA-2s - likely someone misread the spec and ordered the list backwards). But because we filter out MD5 we'll never use that; even in the worst case, if someone requests only MD5, we'll skip over it and use SHA-1 as the fallback algorithm. Theoretically this is against the spec because we "MUST" send something compatible, but seriously, fuck em. Right in the eye.
author: lloyd <[email protected]> 2012-01-20 22:21:12 +0000
committer: lloyd <[email protected]> 2012-01-20 22:21:12 +0000
commit: 87fd27adfe84478c52186107fc383890544eeeba (patch)
tree: f6b360af3115ae7203e15bc834d4397b0dcf28b9 /src/tls/tls_policy.h
parent: 5ccc1b53e9f20ba3d074e68844285d15b5a00912 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/tls/tls_policy.h b/src/tls/tls_policy.h
index c14709e7e..5bf60742b 100644
--- a/src/tls/tls_policy.h
+++ b/src/tls/tls_policy.h
@@ -75,7 +75,7 @@ class BOTAN_DLL TLS_Policy
       /*
       * @return the version we would prefer to negotiate
       */
-      virtual Version_Code pref_version() const { return TLS_V11; }
+      virtual Version_Code pref_version() const { return TLS_V12; }
 
       virtual ~TLS_Policy() {}
    };
author	lloyd <[email protected]>	2012-01-20 22:21:12 +0000
committer	lloyd <[email protected]>	2012-01-20 22:21:12 +0000
commit	87fd27adfe84478c52186107fc383890544eeeba (patch)
tree	f6b360af3115ae7203e15bc834d4397b0dcf28b9 /src/tls/tls_policy.h
parent	5ccc1b53e9f20ba3d074e68844285d15b5a00912 (diff)