From fdbe4a3fa669166efaec0d963e4216233368a7d9 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Sun, 8 Nov 2015 13:47:53 +0000
Subject: [PATCH] Reject TLS 1.2 ciphersuites if not allowed.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
---
 ssl/s3_clnt.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index c5e0e36f3d..3911c3d5d0 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1050,6 +1050,11 @@ int ssl3_get_server_hello(SSL *s)
         SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED);
         goto f_err;
     }
+    /* Set version disabled mask now we know version */
+    if (!SSL_USE_TLS1_2_CIPHERS(s))
+        ct->mask_ssl = SSL_TLSV1_2;
+    else
+        ct->mask_ssl = 0;
     /*
      * If it is a disabled cipher we didn't send it in client hello, so
      * return an error.
-- 
2.25.1