From: Daniil Zotkin <zotkin@rutoken.ru>
Date: Tue, 24 Sep 2019 08:08:23 +0000 (+0300)
Subject: Do not print extensions in Certificate message for TLS1.2 and lower
X-Git-Tag: openssl-3.0.0-alpha1~1232
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=65c76cd2c9e8da9468dd490b334e56c51dbef582;p=oweals%2Fopenssl.git

Do not print extensions in Certificate message for TLS1.2 and lower

According to RFC8446 CertificateEntry in Certificate message contains
extensions that were not present in the Certificate message in RFC5246.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9994)
---

diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index a2cb4f7385..c55c172b88 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -1242,8 +1242,9 @@ static int ssl_print_certificates(BIO *bio, const SSL *ssl, int server,
     while (clen > 0) {
         if (!ssl_print_certificate(bio, indent + 2, &msg, &clen))
             return 0;
-        if (!ssl_print_extensions(bio, indent + 2, server, SSL3_MT_CERTIFICATE,
-                                  &msg, &clen))
+        if (SSL_IS_TLS13(ssl)
+            && !ssl_print_extensions(bio, indent + 2, server,
+                                     SSL3_MT_CERTIFICATE, &msg, &clen))
             return 0;
 
     }