Fix SCRAM-*-PLUS SASL mechanisms with OpenSSL and TLSv1.2

Signed-off-by: Steffen Jaeckel <[email protected]>
strophe · Feb 21, 2024 · d3e4b31 · d3e4b31
1 parent 1cf09b1
commit d3e4b31
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/src/tls_openssl.c b/src/tls_openssl.c
@@ -753,15 +753,19 @@ int tls_init_channel_binding(tls_t *tls,
 
  switch (SSL_version(tls->ssl)) {
  case SSL3_VERSION:
- *binding_prefix = "tls-unique";
- *binding_prefix_len = strlen("tls-unique");
- tls->channel_binding_size = 36;
- break;
+ /* In theory the 'tls-unique' channel binding for SSLv3 would be 36
+ * bytes long, but:
+ * Attempting to use [SSL_export_keying_material] in
+ * SSLv3 will result in an error.
+ */
+ return -1;
  case TLS1_VERSION:
  case TLS1_1_VERSION:
  case TLS1_2_VERSION:
  *binding_prefix = "tls-unique";
  *binding_prefix_len = strlen("tls-unique");
+ label = "master secret";
+ labellen = 13;
  tls->channel_binding_size = 12;
  break;
 #ifdef TLS1_3_VERSION