From bf59cc53a768cd0ea1deb78a9a75c3bc92d466e6 Mon Sep 17 00:00:00 2001
From: Jack Lloyd <jack@randombit.net>
Date: Tue, 28 Nov 2017 14:18:39 -0500
Subject: Correct version selection logic in TLS server

Due to an oversight in the logic, previously a client attempt to
negotiate SSLv3 would result in the server trying to negotiate
TLS v1.2. Now instead they get a protocol_error alert.

Similarly, detect the the (invalid) case of a major number <= 2,
which does not coorespond to any real TLS version. The server
would again reply as a TLS v1.2 server in that case, and now
just closes the connection with an alert.
---
 src/lib/tls/tls_server.cpp | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src')

diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp
index f20e363cf..66a0e0e1d 100644
--- a/src/lib/tls/tls_server.cpp
+++ b/src/lib/tls/tls_server.cpp
@@ -405,6 +405,11 @@ void Server::process_client_hello_msg(const Handshake_State* active_state,
    pending_state.client_hello(new Client_Hello(contents));
    const Protocol_Version client_version = pending_state.client_hello()->version();
 
+   if(client_version.major_version() < 3)
+      throw TLS_Exception(Alert::PROTOCOL_VERSION, "Client offered version with major version under 3");
+   if(client_version.major_version() == 3 && client_version.minor_version() == 0)
+      throw TLS_Exception(Alert::PROTOCOL_VERSION, "SSLv3 is not supported");
+
    Protocol_Version negotiated_version;
 
    const Protocol_Version latest_supported =
-- 
cgit v1.2.3