]> git.ipfire.org Git - thirdparty/haproxy.git/commit
projects / thirdparty / haproxy.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 073edf3) | patch
BUG/MINOR: acl: req_ssl_sni fails with SSLv3 record version
authorLukas Tribus <luky-37@hotmail.com>
Thu, 10 Apr 2014 19:36:22 +0000 (21:36 +0200)
committerWilly Tarreau <w@1wt.eu>
Thu, 10 Apr 2014 21:30:59 +0000 (23:30 +0200)
commit57d2297473bdc1b61a589a73797eb25e0a00a8bd
tree9d7635a3d66f186d913953d551d95838fe066cc0tree
parent073edf3311aa963ca7e0496f70b848b5f1fe9ec3commit | diff
BUG/MINOR: acl: req_ssl_sni fails with SSLv3 record version

SNI is a TLS extension and requires at least TLSv1.0 or later, however
the version in the record layer may be SSLv3, not necessarily TLSv1.0.

GnuTLS for example does this.

Relax the record layer version check in smp_fetch_ssl_hello_sni() to
allow fetching SNI values from clients indicating SSLv3 in the record
layer (maintaining the TLSv1.0+ check in the actual handshake version).

This was reported and analyzed by Pravin Tatti.
src/payload.c diff | blob | blame | history
Mirror of https://github.com/haproxy/haproxy.git