Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / e0ff7670253bf6525bd827125cdf7409f05d32ce^! / . / include / openssl / ssl.h
commite0ff7670253bf6525bd827125cdf7409f05d32ce[log] [tgz]
authorDavid Benjamin <davidben@google.com>Mon Sep 19 18:40:03 2016 -0400
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Wed Sep 21 17:03:42 2016 +0000
tree23a8b8f623a66da5ba21eae397b0134cbbaf1188
parent28d938d4c3b0e7a7fd34afc755c6dc8ab40a0172 [diff] [blame]
Remove SSL_set_fallback_version.

Ding-dong the fallback's dead.
https://mailarchive.ietf.org/arch/msg/tls/xfCh7D7hISFs5x-eA0xHwksoLrc

Also we'll need to tweak the versioning code slightly to implement
supported_versions and it's nice to have this out of the way.

Change-Id: I0961e19ea56b4afd828f6f48858ac6310129503d
Reviewed-on: https://boringssl-review.googlesource.com/11120
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index a8d5abd..256e3a0 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -695,9 +695,7 @@
  * version; see RFC 7507 for details.
  *
  * DO NOT ENABLE THIS if your application attempts a normal handshake. Only use
- * this in explicit fallback retries, following the guidance in RFC 7507.
- *
- * This flag is deprecated. Use |SSL_set_fallback_version| instead. */
+ * this in explicit fallback retries, following the guidance in RFC 7507. */
 #define SSL_MODE_SEND_FALLBACK_SCSV 0x00000400L
 
 /* SSL_CTX_set_mode enables all modes set in |mode| (which should be one or more
@@ -3093,22 +3091,6 @@
 OPENSSL_EXPORT void SSL_CTX_set_retain_only_sha256_of_client_certs(SSL_CTX *ctx,
                                                                    int enable);
 
-/* SSL_set_fallback_version, on a client, sets the effective maximum protocol
- * version. This may be used when implementing a version fallback to work around
- * buggy servers.
- *
- * For purposes of the TLS protocol itself, including assembling the ClientHello
- * and which ServerHello versions are accepted, this value is used as the
- * maximum version. However, if this value differs from the real maximum
- * version, as set by |SSL_set_max_version|, TLS_FALLBACK_SCSV (see RFC 7507)
- * will be sent. Further, the TLS 1.3 anti-downgrade logic will be conditioned
- * on the true maximum version.
- *
- * For instance, a fallback from a TLS 1.3 ClientHello to a TLS 1.2 ClientHello
- * should set this value to |TLS1_2_VERSION| and call |SSL_set_max_version| with
- * |TLS1_3_VERSION|. */
-OPENSSL_EXPORT void SSL_set_fallback_version(SSL *ssl, uint16_t version);
-
 
 /* Deprecated functions. */
 
@@ -4017,11 +3999,6 @@
    * is normalized in DTLS. */
   uint16_t min_version;
 
-  /* fallback_version is the effective maximum acceptable protocol version for
-   * use with a version fallback, or zero if unset. Note this version is
-   * normalized in DTLS. */
-  uint16_t fallback_version;
-
   uint16_t max_send_fragment;
 
   /* There are 2 BIO's even though they are normally both the same. This is so