- do not add tls extensions to server hello for SSLv3 either

openssl-0.9.8g-no-extssl.patch

@@ -1,17 +1,27 @@
-Skip adding tls extensions to client hello when protocol version is
-not TLS.
 diff -up openssl-0.9.8g/ssl/t1_lib.c.no-extssl openssl-0.9.8g/ssl/t1_lib.c
 --- openssl-0.9.8g/ssl/t1_lib.c.no-extssl	2007-10-19 09:44:10.000000000 +0200
-+++ openssl-0.9.8g/ssl/t1_lib.c	2007-12-13 17:22:10.000000000 +0100
++++ openssl-0.9.8g/ssl/t1_lib.c	2008-08-10 21:42:11.000000000 +0200
 @@ -132,6 +132,11 @@ unsigned char *ssl_add_clienthello_tlsex
  	int extdatalen=0;
  	unsigned char *ret = p;
  
 +	if (s->client_version != TLS1_VERSION && s->client_version != DTLS1_VERSION)
-+	{
++		{
 +		return ret;
-+	}
++		}
 +
  	ret+=2;
  
  	if (ret>=limit) return NULL; /* this really never occurs, but ... */
+@@ -202,6 +207,11 @@ unsigned char *ssl_add_serverhello_tlsex
+ 	int extdatalen=0;
+ 	unsigned char *ret = p;
+ 
++	if (s->version != TLS1_VERSION && s->version != DTLS1_VERSION)
++		{
++		return ret;
++		}
++
+ 	ret+=2;
+ 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
+ 

openssl.spec

@@ -22,7 +22,7 @@
 Summary: The OpenSSL toolkit
 Name: openssl
 Version: 0.9.8g
-Release: 10%{?dist}
+Release: 11%{?dist}
 # We remove certain patented algorithms from the openssl source tarball
 # with the hobble-openssl script which is included below.
 Source: openssl-%{version}-usa.tar.bz2
@@ -368,6 +368,9 @@ rm -rf $RPM_BUILD_ROOT/%{_bindir}/openssl_fips_fingerprint
 %postun -p /sbin/ldconfig
 
 %changelog
+* Sun Aug 10 2008 Tomas Mraz <tmraz@redhat.com> 0.9.8g-11
+- do not add tls extensions to server hello for SSLv3 either
+
 * Mon Jun  2 2008 Joe Orton <jorton@redhat.com> 0.9.8g-10
 - move root CA bundle to ca-certificates package