pike.git / lib / modules / SSL.pmod / Session.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Session.pike:222:    return 0;    }    if (suite_info[2] > HASH_sha) {    // Hash algorithms other than md5 and sha1 are not supported    // prior to TLS 1.2.    return 0;    }    // FIXME: Check hash size >= cert hash size.    }    -  if ((version >= PROTOCOL_TLS_1_1) && -  (< CIPHER_null, CIPHER_rc4_40, CIPHER_rc2_40, CIPHER_des40 >) -  [suite_info[1]]) { +  if (version >= PROTOCOL_TLS_1_1) +  { +  if (suite == SSL_null_with_null_null) +  { +  // This suite is not allowed to be negotiated in TLS 1.1. +  return 0; +  } +  +  if ( (< CIPHER_rc4_40, CIPHER_rc2_40, CIPHER_des40 >)[suite_info[1]]) {    // RFC 4346 A.5: Export suites    // TLS 1.1 implementations MUST NOT negotiate    // these cipher suites in TLS 1.1 mode.    // ...    // TLS 1.1 clients MUST check that the server    // did not choose one of these cipher suites    // during the handshake.    return 0;    } -  +  }       return 1;   }      //! Selects an apropriate certificate, authentication method   //! and cipher suite for the parameters provided by the client.   //!   //! @param certs   //! The list of @[CertificatePair]s that are applicable to the   //! @[server_name] of this session.