crypto/tls: enable TLS_FALLBACK_SCSV in server with default max version
Fix TLS_FALLBACK_SCSV check when comparing the client version to the default max version. This enables the TLS_FALLBACK_SCSV check by default in servers that do not explicitly set a max version in the tls config. Change-Id: I5a51f9da6d71b79bc6c2ba45032be51d0f704b5e Reviewed-on: https://go-review.googlesource.com/1776 Reviewed-by: Adam Langley <agl@golang.org>
This commit is contained in:
parent
4e47a4aef7
commit
18902d24a3
@ -228,7 +228,7 @@ Curves:
|
||||
for _, id := range hs.clientHello.cipherSuites {
|
||||
if id == TLS_FALLBACK_SCSV {
|
||||
// The client is doing a fallback connection.
|
||||
if hs.clientHello.vers < c.config.MaxVersion {
|
||||
if hs.clientHello.vers < c.config.maxVersion() {
|
||||
c.sendAlert(alertInappropriateFallback)
|
||||
return false, errors.New("tls: client using inppropriate protocol fallback")
|
||||
}
|
||||
|
@ -716,8 +716,12 @@ func TestResumptionDisabled(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestFallbackSCSV(t *testing.T) {
|
||||
serverConfig := &Config{
|
||||
Certificates: testConfig.Certificates,
|
||||
}
|
||||
test := &serverTest{
|
||||
name: "FallbackSCSV",
|
||||
config: serverConfig,
|
||||
// OpenSSL 1.0.1j is needed for the -fallback_scsv option.
|
||||
command: []string{"openssl", "s_client", "-fallback_scsv"},
|
||||
expectHandshakeErrorIncluding: "inppropriate protocol fallback",
|
||||
|
Loading…
Reference in New Issue
Block a user