BUG/MINOR: acl: req_ssl_sni fails with SSLv3 record version

SNI is a TLS extension and requires at least TLSv1.0 or later, however
the version in the record layer may be SSLv3, not necessarily TLSv1.0.

GnuTLS for example does this.

Relax the record layer version check in smp_fetch_ssl_hello_sni() to
allow fetching SNI values from clients indicating SSLv3 in the record
layer (maintaining the TLSv1.0+ check in the actual handshake version).

This was reported and analyzed by Pravin Tatti.
This commit is contained in:
Lukas Tribus 2014-04-10 21:36:22 +02:00 committed by Willy Tarreau
parent 073edf3311
commit 57d2297473

View File

@ -285,10 +285,10 @@ smp_fetch_ssl_hello_sni(struct proxy *px, struct session *s, void *l7, unsigned
if (*data != 0x16)
goto not_ssl_hello;
/* Check for TLSv1 or later (SSL version >= 3.1) */
/* Check for SSLv3 or later (SSL version >= 3.0) in the record layer*/
if (bleft < 3)
goto too_short;
if (data[1] < 0x03 || data[2] < 0x01)
if (data[1] < 0x03)
goto not_ssl_hello;
if (bleft < 5)