From: Ben Burkert Date: Thu, 18 Dec 2014 18:17:54 +0000 (-0800) Subject: crypto/tls: enable TLS_FALLBACK_SCSV in server with default max version X-Git-Tag: go1.5beta1~2599 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=1965b035844b3e8e8b9dd3c21a113345c7eee8b1;p=gostls13.git crypto/tls: enable TLS_FALLBACK_SCSV in server with default max version Fix TLS_FALLBACK_SCSV check when comparing the client version to the default max version. This enables the TLS_FALLBACK_SCSV check by default in servers that do not explicitly set a max version in the tls config. Change-Id: I5a51f9da6d71b79bc6c2ba45032be51d0f704b5e Reviewed-on: https://go-review.googlesource.com/1776 Reviewed-by: Adam Langley --- diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go index 0d907656c6..8f0ed1f70b 100644 --- a/src/crypto/tls/handshake_server.go +++ b/src/crypto/tls/handshake_server.go @@ -228,7 +228,7 @@ Curves: for _, id := range hs.clientHello.cipherSuites { if id == TLS_FALLBACK_SCSV { // The client is doing a fallback connection. - if hs.clientHello.vers < c.config.MaxVersion { + if hs.clientHello.vers < c.config.maxVersion() { c.sendAlert(alertInappropriateFallback) return false, errors.New("tls: client using inppropriate protocol fallback") } diff --git a/src/crypto/tls/handshake_server_test.go b/src/crypto/tls/handshake_server_test.go index 0338af457e..f9545461a4 100644 --- a/src/crypto/tls/handshake_server_test.go +++ b/src/crypto/tls/handshake_server_test.go @@ -716,8 +716,12 @@ func TestResumptionDisabled(t *testing.T) { } func TestFallbackSCSV(t *testing.T) { + serverConfig := &Config{ + Certificates: testConfig.Certificates, + } test := &serverTest{ - name: "FallbackSCSV", + name: "FallbackSCSV", + config: serverConfig, // OpenSSL 1.0.1j is needed for the -fallback_scsv option. command: []string{"openssl", "s_client", "-fallback_scsv"}, expectHandshakeErrorIncluding: "inppropriate protocol fallback",