BUG/MINOR: acl: req_ssl_sni fails with SSLv3 record version

SNI is a TLS extension and requires at least TLSv1.0 or later, however
the version in the record layer may be SSLv3, not necessarily TLSv1.0.

GnuTLS for example does this.

Relax the record layer version check in smp_fetch_ssl_hello_sni() to
allow fetching SNI values from clients indicating SSLv3 in the record
layer (maintaining the TLSv1.0+ check in the actual handshake version).

This was reported and analyzed by Pravin Tatti.

diff --git a/src/payload.c b/src/payload.c
index b806e0852c64eaa4c0f758369da3e4342025b546..4057f6f85601f8f280d0d038664a9cd64fbd2f4c 100644 (file)
--- a/src/payload.c
+++ b/src/payload.c
@@ -285,10 +285,10 @@ smp_fetch_ssl_hello_sni(struct proxy *px, struct session *s, void *l7, unsigned
        if (*data != 0x16)
                goto not_ssl_hello;
 
-       /* Check for TLSv1 or later (SSL version >= 3.1) */
+       /* Check for SSLv3 or later (SSL version >= 3.0) in the record layer*/
        if (bleft < 3)
                goto too_short;
-       if (data[1] < 0x03 || data[2] < 0x01)
+       if (data[1] < 0x03)
                goto not_ssl_hello;
 
        if (bleft < 5)