From 4d936ace088da7a72e7dc8901cbba64e3c1f3596 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bodo=20M=C3=B6ller?= <bodo@openssl.org>
Date: Tue, 17 Apr 2012 15:20:17 +0000
Subject: Disable SHA-2 ciphersuites in < TLS 1.2 connections.

(TLS 1.2 clients could end up negotiating these with an OpenSSL server
with TLS 1.2 disabled, which is problematic.)

Submitted by: Adam Langley
---
 CHANGES | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'CHANGES')

diff --git a/CHANGES b/CHANGES
index 60f245bd70..39cf1d3f25 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@
 
  Changes between 1.0.1 and 1.0.1a [xx XXX xxxx]
 
+  *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
+     [Adam Langley]
+
   *) Workarounds for some broken servers that "hang" if a client hello
      record length exceeds 255 bytes.
 
-- 
cgit v1.2.1