From: Matt Caswell Date: Thu, 11 Jun 2020 15:47:50 +0000 (+0100) Subject: Don't send supported groups if no-ec and we're doing DTLS X-Git-Tag: openssl-3.0.0-alpha4~75 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=e09f8d256f60fd0af62e510f3eaab9e9936f3a6a;p=oweals%2Fopenssl.git Don't send supported groups if no-ec and we're doing DTLS The supported_groups extension only supported EC groups in DTLS. Therefore we shouldn't send it in a no-ec build. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/11914) --- diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index dbdedad1ab..abff069ec9 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -211,7 +211,7 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, } #if defined(OPENSSL_NO_EC) - if (max_version < TLS1_3_VERSION) + if (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION) return EXT_RETURN_NOT_SENT; #else if (!use_ecc(s, min_version, max_version) && max_version < TLS1_3_VERSION)