[release-branch.go1] crypto/tls: return better error message in the case of an SSLv2 handshake.

««« backport 8048fe8f6f4b crypto/tls: return better error message in the case of an SSLv2 handshake. Update #3930 Return a better error message in this situation. R=golang-dev, r CC=golang-dev https://golang.org/cl/6474055 »»»
author: Adam Langley <agl@golang.org> 2012-09-22 05:54:46 +1000
committer: Adam Langley <agl@golang.org> 2012-09-22 05:54:46 +1000
commit: a3ab361b9cd91d0e827d0fb76fd4f020bd8d2c20 (patch)
tree: afb48568d82b9547793345e663ed58235e9c3de2
parent: 7feabb4b94c90add05d6f1e13712e379430921a0 (diff)
download: go-a3ab361b9cd91d0e827d0fb76fd4f020bd8d2c20.tar.gz
go-a3ab361b9cd91d0e827d0fb76fd4f020bd8d2c20.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/src/pkg/crypto/tls/conn.go b/src/pkg/crypto/tls/conn.go
index 2a5115dc6a..455910af41 100644
--- a/src/pkg/crypto/tls/conn.go
+++ b/src/pkg/crypto/tls/conn.go
@@ -487,6 +487,16 @@ Again:
 		return err
 	}
 	typ := recordType(b.data[0])
+
+	// No valid TLS record has a type of 0x80, however SSLv2 handshakes
+	// start with a uint16 length where the MSB is set and the first record
+	// is always < 256 bytes long. Therefore typ == 0x80 strongly suggests
+	// an SSLv2 client.
+	if want == recordTypeHandshake && typ == 0x80 {
+		c.sendAlert(alertProtocolVersion)
+		return errors.New("tls: unsupported SSLv2 handshake received")
+	}
+
 	vers := uint16(b.data[1])<<8 | uint16(b.data[2])
 	n := int(b.data[3])<<8 | int(b.data[4])
 	if c.haveVers && vers != c.vers {
author	Adam Langley <agl@golang.org>	2012-09-22 05:54:46 +1000
committer	Adam Langley <agl@golang.org>	2012-09-22 05:54:46 +1000
commit	a3ab361b9cd91d0e827d0fb76fd4f020bd8d2c20 (patch)
tree	afb48568d82b9547793345e663ed58235e9c3de2
parent	7feabb4b94c90add05d6f1e13712e379430921a0 (diff)
download	go-a3ab361b9cd91d0e827d0fb76fd4f020bd8d2c20.tar.gz go-a3ab361b9cd91d0e827d0fb76fd4f020bd8d2c20.zip