OLD | NEW |
1 diff --git a/lib/ssl/ssl3ext.c b/lib/ssl/ssl3ext.c | 1 diff --git a/lib/ssl/ssl3ext.c b/lib/ssl/ssl3ext.c |
2 index 9cfd541..eb3fb70 100644 | 2 index 2ffe77b..3b48c9e 100644 |
3 --- a/lib/ssl/ssl3ext.c | 3 --- a/lib/ssl/ssl3ext.c |
4 +++ b/lib/ssl/ssl3ext.c | 4 +++ b/lib/ssl/ssl3ext.c |
5 @@ -321,6 +321,10 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTE
NSIONS] = { | 5 @@ -336,10 +336,14 @@ static const ssl3HelloExtensionSender clientHelloSendersTL
S[SSL_MAX_EXTENSIONS] |
6 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, | 6 { ssl_use_srtp_xtn, &ssl3_ClientSendUseSRTPXtn }, |
7 { ssl_signed_certificate_timestamp_xtn, | 7 { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, |
8 &ssl3_ClientSendSignedCertTimestampXtn }, | 8 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
9 + /* WebSphere Application Server 7.0 is intolerant to the last extension | 9 - { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, |
10 + * being zero-length. It is not intolerant of TLS 1.2, so ensure that | 10 { ssl_tls13_draft_version_xtn, &ssl3_ClientSendDraftVersionXtn }, |
11 + * signature_algorithms is at the end to guarantee a non-empty | 11 { ssl_signed_cert_timestamp_xtn, &ssl3_ClientSendSignedCertTimestampXtn }
, |
12 + * extension. */ | 12 { ssl_tls13_key_share_xtn, &tls13_ClientSendKeyShareXtn }, |
13 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, | 13 + /* Some servers (e.g. WebSphere Application Server 7.0 and Tomcat) will |
14 { ssl_tls13_draft_version_xtn, &ssl3_ClientSendDraftVersionXtn }, | 14 + * time out or terminate the connection if the last extension in the |
15 { ssl_extended_master_secret_xtn, &ssl3_SendExtendedMasterSecretXtn}, | 15 + * client hello is empty. They are not intolerant of TLS 1.2, so list |
16 @@ -2546,9 +2550,11 @@ ssl3_CalculatePaddingExtensionLength(unsigned int clientH
elloLength) | 16 + * signature_algorithms at the end. See bug 1243641. */ |
| 17 + { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, |
| 18 /* any extra entries will appear as { 0, NULL } */ |
| 19 }; |
| 20 |
| 21 @@ -2690,9 +2694,11 @@ ssl3_CalculatePaddingExtensionLength(unsigned int clientH
elloLength) |
17 } | 22 } |
18 | 23 |
19 extensionLength = 512 - recordLength; | 24 extensionLength = 512 - recordLength; |
20 - /* Extensions take at least four bytes to encode. */ | 25 - /* Extensions take at least four bytes to encode. */ |
21 - if (extensionLength < 4) { | 26 - if (extensionLength < 4) { |
22 - extensionLength = 4; | 27 - extensionLength = 4; |
23 + /* Extensions take at least four bytes to encode. Always include at least | 28 + /* Extensions take at least four bytes to encode. Always include at least |
24 + * one byte of data if including the extension. WebSphere Application | 29 + * one byte of data if including the extension. WebSphere Application |
25 + * Server 7.0 is intolerant to the last extension being zero-length. */ | 30 + * Server 7.0 is intolerant to the last extension being zero-length. */ |
26 + if (extensionLength < 4 + 1) { | 31 + if (extensionLength < 4 + 1) { |
27 + extensionLength = 4 + 1; | 32 + extensionLength = 4 + 1; |
28 } | 33 } |
29 | 34 |
30 return extensionLength; | 35 return extensionLength; |
OLD | NEW |