Reject a SSLv2 mapped DTLS client hello as serious bogosity.

author: lloyd <[email protected]> 2012-09-06 19:55:33 +0000
committer: lloyd <[email protected]> 2012-09-06 19:55:33 +0000
commit: e26e9cd26b29071055fe51d51dd018a53b3b1ffc (patch)
tree: ffc1d9d9363ed27d6f46dacad8557f7260077130 /src
parent: 4d386edc546cd905a84f2244fdd0e98179ef3fd5 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/src/tls/tls_record.cpp b/src/tls/tls_record.cpp
index a0ddfff5b..45e7fef42 100644
--- a/src/tls/tls_record.cpp
+++ b/src/tls/tls_record.cpp
@@ -285,6 +285,10 @@ size_t read_record(std::vector<byte>& readbuf,
    // Possible SSLv2 format client hello
    if((!cipherstate) && (readbuf[0] & 0x80) && (readbuf[2] == 1))
       {
+      if(version.is_datagram_protocol())
+         throw TLS_Exception(Alert::PROTOCOL_VERSION,
+                             "Client sent SSLv2-style DTLS hello");
+
       if(readbuf[3] == 0 && readbuf[4] == 2)
          throw TLS_Exception(Alert::PROTOCOL_VERSION,
                              "Client claims to only support SSLv2, rejecting");
author	lloyd <[email protected]>	2012-09-06 19:55:33 +0000
committer	lloyd <[email protected]>	2012-09-06 19:55:33 +0000
commit	e26e9cd26b29071055fe51d51dd018a53b3b1ffc (patch)
tree	ffc1d9d9363ed27d6f46dacad8557f7260077130 /src
parent	4d386edc546cd905a84f2244fdd0e98179ef3fd5 (diff)