From: Dr. Stephen Henson <steve@openssl.org>
Date: Sun, 8 Nov 2015 13:47:53 +0000 (+0000)
Subject: Reject TLS 1.2 ciphersuites if not allowed.
X-Git-Tag: OpenSSL_1_0_2e~37
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=fdbe4a3fa669166efaec0d963e4216233368a7d9;p=oweals%2Fopenssl.git

Reject TLS 1.2 ciphersuites if not allowed.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
---

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index c5e0e36f3d..3911c3d5d0 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1050,6 +1050,11 @@ int ssl3_get_server_hello(SSL *s)
         SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED);
         goto f_err;
     }
+    /* Set version disabled mask now we know version */
+    if (!SSL_USE_TLS1_2_CIPHERS(s))
+        ct->mask_ssl = SSL_TLSV1_2;
+    else
+        ct->mask_ssl = 0;
     /*
      * If it is a disabled cipher we didn't send it in client hello, so
      * return an error.