diff options
| -rw-r--r-- | src/tls/tls_client.cpp | 2 | ||||
| -rw-r--r-- | src/tls/tls_policy.h | 10 | ||||
| -rw-r--r-- | src/tls/tls_server.cpp | 2 |
3 files changed, 7 insertions, 7 deletions
diff --git a/src/tls/tls_client.cpp b/src/tls/tls_client.cpp index ba7738e5c..d19249d68 100644 --- a/src/tls/tls_client.cpp +++ b/src/tls/tls_client.cpp @@ -154,7 +154,7 @@ void Client::process_handshake_msg(Handshake_Type type, if(state->client_hello) return; - if(!secure_renegotiation.supported() && policy.require_secure_renegotiation()) + if(!secure_renegotiation.supported() && !policy.allow_insecure_renegotiation()) { delete state; state = nullptr; diff --git a/src/tls/tls_policy.h b/src/tls/tls_policy.h index c3a0fc29e..7678ecfd1 100644 --- a/src/tls/tls_policy.h +++ b/src/tls/tls_policy.h @@ -71,13 +71,13 @@ class BOTAN_DLL Policy virtual std::string choose_curve(const std::vector<std::string>& curve_names) const; /** - * Require support for RFC 5746 extensions to enable - * renegotiation. + * Allow renegotiation even if the counterparty doesn't + * support the secure renegotiation extension. * - * @warning Changing this to false exposes you to injected - * plaintext attacks. Read the RFC for background. + * @warning Changing this to true exposes you to injected + * plaintext attacks. Read RFC 5746 for background. */ - virtual bool require_secure_renegotiation() const { return true; } + virtual bool allow_insecure_renegotiation() const { return false; } /** * Return the group to use for ephemeral Diffie-Hellman key agreement diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp index f8d5894fb..bb3dfe5ff 100644 --- a/src/tls/tls_server.cpp +++ b/src/tls/tls_server.cpp @@ -287,7 +287,7 @@ void Server::process_handshake_msg(Handshake_Type type, else state->set_version(policy.pref_version()); - if(policy.require_secure_renegotiation() && + if(!policy.allow_insecure_renegotiation() && !(secure_renegotiation.initial_handshake() || secure_renegotiation.supported())) { delete state; |