hello->num_extensions,
TLSEXT_TYPE_supported_versions);
- /*
- * TODO(TLS1.3): We only look at this if our max protocol version is TLS1.3
- * or above. Should we allow it for lower versions too?
- */
- if (suppversions != NULL && !SSL_IS_DTLS(s)
- && (s->max_proto_version == 0
- || TLS1_3_VERSION <= s->max_proto_version)) {
+ if (suppversions != NULL && !SSL_IS_DTLS(s)) {
unsigned int candidate_vers = 0;
unsigned int best_vers = 0;
const SSL_METHOD *best_method = NULL;
return ("ServerFail", undef);
} elsif ($c_min > $s_max) {
my @prots = @$protocols;
- if ($prots[$c_min] eq "TLSv1.3") {
- # Client won't have sent any ciphersuite the server recognises
- return ("ServerFail", undef);
+ if ($prots[$c_max] eq "TLSv1.3") {
+ # Client will have sent supported_versions, so server will know
+ # that there are no overlapping versions.
+ return ("ServerFail", undef);
} else {
# Server will try with a version that is lower than the lowest
# supported client version.
projects / openssl.git / commitdiff