From 56e1ead7bf08867bc0a082f7d35c17a387f74b2e Mon Sep 17 00:00:00 2001 From: tb Date: Tue, 11 Jul 2023 17:02:47 +0000 Subject: [PATCH] Remove old workaround for F5 F5 is well-known for needing workaround (go read RFC 8446). In this particular case, it required implementation sending CHs larger than 255 bytes to 0x0300 otherwise their server would hang. This is the same hang that required the CH padding extension which broke other implementations. The CH padding extension was removed ~6 years ago, so hopefully this kludge will no longer needed either. ok jsing --- lib/libssl/ssl_pkt.c | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/lib/libssl/ssl_pkt.c b/lib/libssl/ssl_pkt.c index 728ac141e5f..2c33c45386d 100644 --- a/lib/libssl/ssl_pkt.c +++ b/lib/libssl/ssl_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_pkt.c,v 1.65 2022/11/26 16:08:56 tb Exp $ */ +/* $OpenBSD: ssl_pkt.c,v 1.66 2023/07/11 17:02:47 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -536,7 +536,6 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) SSL_SESSION *sess = s->session; int need_empty_fragment = 0; size_t align, out_len; - uint16_t version; CBB cbb; int ret; @@ -568,16 +567,6 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) if (len == 0) return 0; - /* - * Some servers hang if initial client hello is larger than 256 - * bytes and record version number > TLS 1.0. - */ - version = s->version; - if (s->s3->hs.state == SSL3_ST_CW_CLNT_HELLO_B && - !s->renegotiate && - s->s3->hs.our_max_tls_version > TLS1_VERSION) - version = TLS1_VERSION; - /* * Countermeasure against known-IV weakness in CBC ciphersuites * (see http://www.openssl.org/~bodo/tls-cbc.txt). Note that this @@ -604,7 +593,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) if (!CBB_init_fixed(&cbb, wb->buf + align, wb->len - align)) goto err; - tls12_record_layer_set_version(s->rl, version); + tls12_record_layer_set_version(s->rl, s->version); if (need_empty_fragment) { if (!tls12_record_layer_seal_record(s->rl, type, -- 2.20.1