DTLS version usage fixes.

Make DTLS behave like TLS when negotiating version: record layer has
DTLS 1.0, message version is 1.2.

Tolerate different version numbers if version hasn't been negotiated
yet.

diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 39587039aa71058057e1ac27b706facebde0e3e3..aefd85d0c3516948d381c6c69423a5234014596a 100644 (file)
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -1557,9 +1557,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
         * we haven't decided which version to use yet send back using 
         * version 1.0 header: otherwise some clients will ignore it.
         */
-       if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B
-                       && s->method->version == DTLS_ANY_VERSION
-                       && s->client_version == DTLS1_VERSION)
+       if (s->method->version == DTLS_ANY_VERSION)
                {
                *(p++)=DTLS1_VERSION>>8;
                *(p++)=DTLS1_VERSION&0xff;

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 24c180c4d7294a961463fe5a49a3fbdf6d9b9b28..ce7b36aa14083c0a866a6a2a198b4897eb208d32 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -928,7 +928,7 @@ int ssl3_get_server_hello(SSL *s)
        /* Hello verify request and/or server hello version may not
         * match so set first packet if we're negotiating version.
         */
-       if (s->method->version == DTLS_ANY_VERSION)
+       if (SSL_IS_DTLS(s))
                s->first_packet = 1;
 
        n=s->method->ssl_get_message(s,