From 65c76cd2c9e8da9468dd490b334e56c51dbef582 Mon Sep 17 00:00:00 2001 From: Daniil Zotkin Date: Tue, 24 Sep 2019 11:08:23 +0300 Subject: [PATCH] Do not print extensions in Certificate message for TLS1.2 and lower According to RFC8446 CertificateEntry in Certificate message contains extensions that were not present in the Certificate message in RFC5246. CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9994) --- ssl/t1_trce.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index a2cb4f7385..c55c172b88 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -1242,8 +1242,9 @@ static int ssl_print_certificates(BIO *bio, const SSL *ssl, int server, while (clen > 0) { if (!ssl_print_certificate(bio, indent + 2, &msg, &clen)) return 0; - if (!ssl_print_extensions(bio, indent + 2, server, SSL3_MT_CERTIFICATE, - &msg, &clen)) + if (SSL_IS_TLS13(ssl) + && !ssl_print_extensions(bio, indent + 2, server, + SSL3_MT_CERTIFICATE, &msg, &clen)) return 0; } -- 2.25.1