From: Lukas Tribus Date: Thu, 10 Apr 2014 19:36:22 +0000 (+0200) Subject: BUG/MINOR: acl: req_ssl_sni fails with SSLv3 record version X-Git-Tag: v1.5-dev23~59 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=57d229747;p=thirdparty%2Fhaproxy.git BUG/MINOR: acl: req_ssl_sni fails with SSLv3 record version SNI is a TLS extension and requires at least TLSv1.0 or later, however the version in the record layer may be SSLv3, not necessarily TLSv1.0. GnuTLS for example does this. Relax the record layer version check in smp_fetch_ssl_hello_sni() to allow fetching SNI values from clients indicating SSLv3 in the record layer (maintaining the TLSv1.0+ check in the actual handshake version). This was reported and analyzed by Pravin Tatti. --- diff --git a/src/payload.c b/src/payload.c index b806e0852c..4057f6f856 100644 --- a/src/payload.c +++ b/src/payload.c @@ -285,10 +285,10 @@ smp_fetch_ssl_hello_sni(struct proxy *px, struct session *s, void *l7, unsigned if (*data != 0x16) goto not_ssl_hello; - /* Check for TLSv1 or later (SSL version >= 3.1) */ + /* Check for SSLv3 or later (SSL version >= 3.0) in the record layer*/ if (bleft < 3) goto too_short; - if (data[1] < 0x03 || data[2] < 0x01) + if (data[1] < 0x03) goto not_ssl_hello; if (bleft < 5)