artulab
projects / openbsd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ed3431f)
Remove old workaround for F5
authortb <tb@openbsd.org>
Tue, 11 Jul 2023 17:02:47 +0000 (17:02 +0000)
committertb <tb@openbsd.org>
Tue, 11 Jul 2023 17:02:47 +0000 (17:02 +0000)
F5 is well-known for needing workaround (go read RFC 8446). In this
particular case, it required implementation sending CHs larger than
255 bytes to 0x0300 otherwise their server would hang. This is the
same hang that required the CH padding extension which broke other
implementations. The CH padding extension was removed ~6 years ago,
so hopefully this kludge will no longer needed either.

ok jsing

lib/libssl/ssl_pkt.c patch | blob | history

diff --git a/lib/libssl/ssl_pkt.c b/lib/libssl/ssl_pkt.c
index 728ac14..2c33c45 100644 (file)
--- a/lib/libssl/ssl_pkt.c
+++ b/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_pkt.c,v 1.65 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: ssl_pkt.c,v 1.66 2023/07/11 17:02:47 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -536,7 +536,6 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
        SSL_SESSION *sess = s->session;
        int need_empty_fragment = 0;
        size_t align, out_len;
-       uint16_t version;
        CBB cbb;
        int ret;
 
@@ -568,16 +567,6 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
        if (len == 0)
                return 0;
 
-       /*
-        * Some servers hang if initial client hello is larger than 256
-        * bytes and record version number > TLS 1.0.
-        */
-       version = s->version;
-       if (s->s3->hs.state == SSL3_ST_CW_CLNT_HELLO_B &&
-           !s->renegotiate &&
-           s->s3->hs.our_max_tls_version > TLS1_VERSION)
-               version = TLS1_VERSION;
-
        /*
         * Countermeasure against known-IV weakness in CBC ciphersuites
         * (see http://www.openssl.org/~bodo/tls-cbc.txt). Note that this
@@ -604,7 +593,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
        if (!CBB_init_fixed(&cbb, wb->buf + align, wb->len - align))
                goto err;
 
-       tls12_record_layer_set_version(s->rl, version);
+       tls12_record_layer_set_version(s->rl, s->version);
 
        if (need_empty_fragment) {
                if (!tls12_record_layer_seal_record(s->rl, type,
OpenBSD src
by Ahmet Artu Yildirim