From 18902d24a37687f98c85a00df022608cdaa6c44f Mon Sep 17 00:00:00 2001 From: Ben Burkert Date: Thu, 18 Dec 2014 10:17:54 -0800 Subject: [PATCH] crypto/tls: enable TLS_FALLBACK_SCSV in server with default max version Fix TLS_FALLBACK_SCSV check when comparing the client version to the default max version. This enables the TLS_FALLBACK_SCSV check by default in servers that do not explicitly set a max version in the tls config. Change-Id: I5a51f9da6d71b79bc6c2ba45032be51d0f704b5e Reviewed-on: https://go-review.googlesource.com/1776 Reviewed-by: Adam Langley --- handshake_server.go | 2 +- handshake_server_test.go | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/handshake_server.go b/handshake_server.go index 0d90765..8f0ed1f 100644 --- a/handshake_server.go +++ b/handshake_server.go @@ -228,7 +228,7 @@ Curves: for _, id := range hs.clientHello.cipherSuites { if id == TLS_FALLBACK_SCSV { // The client is doing a fallback connection. - if hs.clientHello.vers < c.config.MaxVersion { + if hs.clientHello.vers < c.config.maxVersion() { c.sendAlert(alertInappropriateFallback) return false, errors.New("tls: client using inppropriate protocol fallback") } diff --git a/handshake_server_test.go b/handshake_server_test.go index 0338af4..f954546 100644 --- a/handshake_server_test.go +++ b/handshake_server_test.go @@ -716,8 +716,12 @@ func TestResumptionDisabled(t *testing.T) { } func TestFallbackSCSV(t *testing.T) { + serverConfig := &Config{ + Certificates: testConfig.Certificates, + } test := &serverTest{ - name: "FallbackSCSV", + name: "FallbackSCSV", + config: serverConfig, // OpenSSL 1.0.1j is needed for the -fallback_scsv option. command: []string{"openssl", "s_client", "-fallback_scsv"}, expectHandshakeErrorIncluding: "inppropriate protocol fallback",