Google Git
Sign in
boringssl/boringssl/ac61fa379fde449f52f7804aa5e7e39554a37b74^!/./ssl/test/runner/common.go
commit
ac61fa379fde449f52f7804aa5e7e39554a37b74
[log]
author
Adam Langley <agl@chromium.org>
Mon Jun 23 12:03:11 2014 -0700
committer
Adam Langley <agl@chromium.org>
Mon Jun 23 12:03:11 2014 -0700
tree
88af57edd63fb11c018074a4683fab7f30cb914e
parent
bbb42ffaf44a1dc94579f0a68553b2c3269ec5ee [diff] [blame]
Implement TLS_FALLBACK_SCSV support for the client.

With this change, calling SSL_enable_fallback_scsv on a client SSL* will
cause the fallback SCSV to be sent.

This is intended to be set when the client is performing TLS fallback
after a failed connection. (This only happens if the application itself
implements this behaviour: OpenSSL does not do fallback automatically.)

The fallback SCSV indicates to the server that it should reject the
connection if the version indicated by the client is less than the
version supported by the server.

See http://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-02.

Change-Id: I478d6d5135016f1b7c4aaa6c306a1a64b1d215a6

diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 0905e9f..fd78eb6 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go

@@ -341,6 +341,10 @@
 	// PaddingFirstByteBadIf255 causes the first byte of padding to be
 	// incorrect if there's a maximum amount of padding (i.e. 255 bytes).
 	PaddingFirstByteBadIf255 bool
+
+	// FailIfNotFallbackSCSV causes a server handshake to fail if the
+	// client doesn't send the fallback SCSV value.
+	FailIfNotFallbackSCSV bool
 }
 
 func (c *Config) serverInit() {