From: Daniil Zotkin <zotkin@rutoken.ru>
Date: Tue, 24 Sep 2019 08:08:23 +0000 (+0300)
Subject: Do not print extensions in Certificate message for TLS1.2 and lower
X-Git-Tag: OpenSSL_1_1_1e~205
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=51f879a31f926ba12b783c68f4ba9e4ee490145f;p=oweals%2Fopenssl.git

Do not print extensions in Certificate message for TLS1.2 and lower

According to RFC8446 CertificateEntry in Certificate message contains
extensions that were not present in the Certificate message in RFC5246.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9994)

(cherry picked from commit 65c76cd2c9e8da9468dd490b334e56c51dbef582)
---

diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index 0559fba9d9..5c84339314 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -1246,8 +1246,9 @@ static int ssl_print_certificates(BIO *bio, const SSL *ssl, int server,
     while (clen > 0) {
         if (!ssl_print_certificate(bio, indent + 2, &msg, &clen))
             return 0;
-        if (!ssl_print_extensions(bio, indent + 2, server, SSL3_MT_CERTIFICATE,
-                                  &msg, &clen))
+        if (SSL_IS_TLS13(ssl)
+            && !ssl_print_extensions(bio, indent + 2, server,
+                                     SSL3_MT_CERTIFICATE, &msg, &clen))
             return 0;
 
     }