From 6dd547398acfd022cd0f7354b9ab6a83bea3176a Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 7 Oct 2011 15:07:19 +0000 Subject: [PATCH] use client version when eliminating TLS v1.2 ciphersuites in client hello --- ssl/ssl_lib.c | 2 +- ssl/tls1.h | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 4c4665b088..c983474f58 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1381,7 +1381,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, c=sk_SSL_CIPHER_value(sk,i); /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */ if ((c->algorithm_ssl & SSL_TLSV1_2) && - (TLS1_get_version(s) < TLS1_2_VERSION)) + (TLS1_get_client_version(s) < TLS1_2_VERSION)) continue; #ifndef OPENSSL_NO_KRB5 if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) && diff --git a/ssl/tls1.h b/ssl/tls1.h index 8fe7d7cef2..14b5d9bfdf 100644 --- a/ssl/tls1.h +++ b/ssl/tls1.h @@ -174,6 +174,9 @@ extern "C" { #define TLS1_get_version(s) \ ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0) +#define TLS1_get_client_version(s) \ + ((s->client_version >> 8) == TLS1_VERSION_MAJOR ? s->client_version : 0) + #define TLS1_AD_DECRYPTION_FAILED 21 #define TLS1_AD_RECORD_OVERFLOW 22 #define TLS1_AD_UNKNOWN_CA 48 /* fatal */ -- 2.25.1