From f25e4263fe9273d8bdd6a798f8f0b8cb3faeacf9 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Sat, 14 Jun 2014 22:24:08 +0100
Subject: [PATCH] Accept CCS after sending finished.

Allow CCS after finished has been sent by client: at this point
keys have been correctly set up so it is OK to accept CCS from
server. Without this renegotiation can sometimes fail.

PR#3400
(cherry picked from commit 99cd6a91fcb0931feaebbb4832681d40a66fad41)
---
 ssl/s3_clnt.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 2b1d2b8c57..4e5a95353b 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -467,6 +467,7 @@ int ssl3_connect(SSL *s)
 				s->method->ssl3_enc->client_finished_label,
 				s->method->ssl3_enc->client_finished_label_len);
 			if (ret <= 0) goto end;
+			s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			s->state=SSL3_ST_CW_FLUSH;
 
 			/* clear flags */
-- 
2.25.1