[release-branch.go1] crypto/tls: return better error message in the case of an SSLv2...

author Adam Langley <agl@golang.org>

Fri, 21 Sep 2012 19:54:46 +0000 (05:54 +1000)

committer Adam Langley <agl@golang.org>

Fri, 21 Sep 2012 19:54:46 +0000 (05:54 +1000)
author Adam Langley <agl@golang.org>
Fri, 21 Sep 2012 19:54:46 +0000 (05:54 +1000)
committer Adam Langley <agl@golang.org>
Fri, 21 Sep 2012 19:54:46 +0000 (05:54 +1000)
diff --git a/src/pkg/crypto/tls/conn.go b/src/pkg/crypto/tls/conn.go

index 2a5115dc6aba08975723379632dd4a9b77180ce5..455910af41503575b69aa7aaca266fe763efe5e0 100644 (file)
--- a/src/pkg/crypto/tls/conn.go
+++ b/src/pkg/crypto/tls/conn.go
@@ -487,6 +487,16 @@ Again:
                 return err
         }
         typ := recordType(b.data[0])
+
+       // No valid TLS record has a type of 0x80, however SSLv2 handshakes
+       // start with a uint16 length where the MSB is set and the first record
+       // is always < 256 bytes long. Therefore typ == 0x80 strongly suggests
+       // an SSLv2 client.
+       if want == recordTypeHandshake && typ == 0x80 {
+               c.sendAlert(alertProtocolVersion)
+               return errors.New("tls: unsupported SSLv2 handshake received")
+       }
+
         vers := uint16(b.data[1])<<8 | uint16(b.data[2])
         n := int(b.data[3])<<8 | int(b.data[4])
         if c.haveVers && vers != c.vers {
author	Adam Langley <agl@golang.org>
	Fri, 21 Sep 2012 19:54:46 +0000 (05:54 +1000)
committer	Adam Langley <agl@golang.org>
	Fri, 21 Sep 2012 19:54:46 +0000 (05:54 +1000)