Use ssl3_is_version_enabled to skip offering sessions.
We do an ad-hoc upper-bound check, but if the version is too low, we also shouldn't offer the session. This isn't fatal to the connection and doesn't have issues (we'll check the version later regardless), but offering a session we're never going to accept is pointless. The check should match what we do in ServerHello. Credit to Matt Caswell for noticing the equivalent issue in an OpenSSL pull request. Change-Id: I17a4efd37afa63b34fca53f4c9b7ac3ae2fa3336 Reviewed-on: https://boringssl-review.googlesource.com/7543 Reviewed-by: David Benjamin <davidben@google.com>
This commit is contained in:
parent
762e1d039c
commit
e29ea166a6
@ -666,13 +666,12 @@ int ssl3_send_client_hello(SSL *ssl) {
|
|||||||
ssl->client_version = max_version;
|
ssl->client_version = max_version;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* If the configured session has expired or was created at a version higher
|
/* If the configured session has expired or was created at a disabled
|
||||||
* than our maximum version, drop it. */
|
* version, drop it. */
|
||||||
if (ssl->session != NULL &&
|
if (ssl->session != NULL &&
|
||||||
(ssl->session->session_id_length == 0 || ssl->session->not_resumable ||
|
(ssl->session->session_id_length == 0 || ssl->session->not_resumable ||
|
||||||
ssl->session->timeout < (long)(time(NULL) - ssl->session->time) ||
|
ssl->session->timeout < (long)(time(NULL) - ssl->session->time) ||
|
||||||
(!SSL_IS_DTLS(ssl) && ssl->session->ssl_version > ssl->version) ||
|
!ssl3_is_version_enabled(ssl, ssl->session->ssl_version))) {
|
||||||
(SSL_IS_DTLS(ssl) && ssl->session->ssl_version < ssl->version))) {
|
|
||||||
SSL_set_session(ssl, NULL);
|
SSL_set_session(ssl, NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user