no need for empty fragments with TLS 1.1 and later due to explicit IV

author: Dr. Stephen Henson <steve@openssl.org> 2010-06-27 14:42:43 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2010-06-27 14:42:43 +0000
commit: 28566b4966ead6d828e3f5095ee15feb4744ed96 (patch)
tree: e42f8f6a54a07b341a702d81e99a2e405c330fd2
parent: b4b15f68c01c4bf4557db5ff6180623411540b52 (diff)
download: openssl-28566b4966ead6d828e3f5095ee15feb4744ed96.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index b5c3179c48..5446bb250d 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -607,7 +607,8 @@ printf("\nkey block\n");
 { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
 #endif
 
-	if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
+	if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
+		&& s->method->version <= TLS1_VERSION)
 		{
 		/* enable vulnerability countermeasure for CBC ciphers with
 		 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
author	Dr. Stephen Henson <steve@openssl.org>	2010-06-27 14:42:43 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2010-06-27 14:42:43 +0000
commit	28566b4966ead6d828e3f5095ee15feb4744ed96 (patch)
tree	e42f8f6a54a07b341a702d81e99a2e405c330fd2
parent	b4b15f68c01c4bf4557db5ff6180623411540b52 (diff)
download	openssl-28566b4966ead6d828e3f5095ee15feb4744ed96.tar.gz