crypto/tls: enable TLS_FALLBACK_SCSV in server with default max version

Fix TLS_FALLBACK_SCSV check when comparing the client version to the default max version. This enables the TLS_FALLBACK_SCSV check by default in servers that do not explicitly set a max version in the tls config. Change-Id: I5a51f9da6d71b79bc6c2ba45032be51d0f704b5e Reviewed-on: https://go-review.googlesource.com/1776 Reviewed-by: Adam Langley <agl@golang.org>
2024-09-19 16:01:33 +00:00 · 2014-12-18 10:17:54 -08:00 · 2014-12-18 10:17:54 -08:00 · 1965b03584
parent 8e0686a071
commit 1965b03584
2 changed files with 6 additions and 2 deletions
--- a/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
@ -228,7 +228,7 @@ Curves:
 	for _, id := range hs.clientHello.cipherSuites {
 		if id == TLS_FALLBACK_SCSV {
 			// The client is doing a fallback connection.
-			if hs.clientHello.vers < c.config.MaxVersion {
+			if hs.clientHello.vers < c.config.maxVersion() {
 				c.sendAlert(alertInappropriateFallback)
 				return false, errors.New("tls: client using inppropriate protocol fallback")
 			}
--- a/src/crypto/tls/handshake_server_test.go
+++ b/src/crypto/tls/handshake_server_test.go
@ -716,8 +716,12 @@ func TestResumptionDisabled(t *testing.T) {
 }

 func TestFallbackSCSV(t *testing.T) {
+	serverConfig := &Config{
+		Certificates: testConfig.Certificates,
+	}
 	test := &serverTest{
-		name: "FallbackSCSV",
+		name:   "FallbackSCSV",
+		config: serverConfig,
 		// OpenSSL 1.0.1j is needed for the -fallback_scsv option.
 		command: []string{"openssl", "s_client", "-fallback_scsv"},
 		expectHandshakeErrorIncluding: "inppropriate protocol fallback",