diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 3fc956d40..6383c0e6a 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -1134,6 +1134,7 @@ int ssl_parse_finished( ssl_context *ssl ); int ssl_write_finished( ssl_context *ssl ); void ssl_optimize_checksum( ssl_context *ssl, int ciphersuite ); +int ssl_get_ciphersuite_min_version( const int ciphersuite_id ); #ifdef __cplusplus } diff --git a/library/ssl_srv.c b/library/ssl_srv.c index c62c4129f..d1669864c 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -647,7 +647,8 @@ static int ssl_parse_client_hello( ssl_context *ssl ) for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 ) { - if( p[0] == 0 && p[1] == ssl->ciphersuites[ssl->minor_ver][i] ) + if( p[0] == 0 && p[1] == ssl->ciphersuites[ssl->minor_ver][i] && + ssl_get_ciphersuite_min_version( p[1] ) <= ssl->minor_ver ) goto have_ciphersuite; } } diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 253437973..15cb3bc2b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3521,6 +3521,50 @@ int ssl_get_ciphersuite_id( const char *ciphersuite_name ) return( 0 ); } +int ssl_get_ciphersuite_min_version( const int ciphersuite_id ) +{ + switch( ciphersuite_id ) + { + case TLS_RSA_WITH_RC4_128_MD5: + case TLS_RSA_WITH_RC4_128_SHA: + case TLS_RSA_WITH_3DES_EDE_CBC_SHA: + case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: + case TLS_RSA_WITH_AES_128_CBC_SHA: + case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: + case TLS_RSA_WITH_AES_256_CBC_SHA: + case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: + case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: + case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: + case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: + case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: + case TLS_RSA_WITH_NULL_MD5: + case TLS_RSA_WITH_NULL_SHA: + case TLS_RSA_WITH_DES_CBC_SHA: + case TLS_DHE_RSA_WITH_DES_CBC_SHA: + return SSL_MINOR_VERSION_0; + + case TLS_RSA_WITH_AES_128_CBC_SHA256: + case TLS_RSA_WITH_AES_256_CBC_SHA256: + case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: + case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: + case TLS_RSA_WITH_AES_128_GCM_SHA256: + case TLS_RSA_WITH_AES_256_GCM_SHA384: + case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: + case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: + case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256: + case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: + case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256: + case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256: + case TLS_RSA_WITH_NULL_SHA256: + return SSL_MINOR_VERSION_3; + + default: + break; + } + + return SSL_MINOR_VERSION_0; +} + const char *ssl_get_ciphersuite( const ssl_context *ssl ) { if( ssl == NULL || ssl->session == NULL )