diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 4535f89a1e3f346b64bf28915c81ce873c4a72d5..28de7c384ea68e1978b5e96005e75dd5999b0578 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1463,14 +1463,12 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, switch (SSL3_RECORD_get_type(rr)) { default: /* - * TLS up to v1.1 just ignores unknown message types: TLS v1.2 give - * an unexpected message alert. + * TLS 1.0 and 1.1 say you SHOULD ignore unrecognised record types, but + * TLS 1.2 says you MUST send an unexpected message alert. We use the + * TLS 1.2 behaviour for all protocol versions to prevent issues where + * no progress is being made and the peer continually sends unrecognised + * record types, using up resources processing them. */ - if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) { - SSL3_RECORD_set_length(rr, 0); - SSL3_RECORD_set_read(rr); - goto start; - } al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD); goto f_err;