diff options
author | Jack Lloyd <[email protected]> | 2017-11-28 14:27:36 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2017-11-28 14:27:36 -0500 |
commit | 5205df88f44b3d52854688ae790dafe33811ec4b (patch) | |
tree | 5b8be66a0968a5ee6c118345d25770afbcde879a /src | |
parent | bf59cc53a768cd0ea1deb78a9a75c3bc92d466e6 (diff) |
Add an explicit catch for a server trying to negotiate SSLv3
This was already caught with the policy check later but it's better
to be explicit. (And in theory an application might implement their
policy version check to be "return true", which would lead to us
actually attempting to negotiate SSLv3).
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/tls/tls_client.cpp | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp index ce19f04c9..0e620a279 100644 --- a/src/lib/tls/tls_client.cpp +++ b/src/lib/tls/tls_client.cpp @@ -330,7 +330,13 @@ void Client::process_handshake_msg(const Handshake_State* active_state, if(state.version() > state.client_hello()->version()) { throw TLS_Exception(Alert::HANDSHAKE_FAILURE, - "Server replied with later version than in hello"); + "Server replied with later version than client offered"); + } + + if(state.version().major_version() == 3 && state.version().minor_version() == 0) + { + throw TLS_Exception(Alert::PROTOCOL_VERSION, + "Server attempting to negotiate SSLv3 which is not supported"); } if(!policy().acceptable_protocol_version(state.version())) |