X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=ssl%2Fs3_srvr.c;h=75abebb22f4ea64c0a8e90a765d05f2c46b269fd;hb=024e6fed625b8f0e6c71d7b12c37d73fb5f71ea8;hp=2f23f2121bd98ff8878d9d6c8738602ba58837c0;hpb=ec4a50b3c3f2f50caccfd52e939857a5d6f02fd1;p=openssl.git

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 2f23f2121b..75abebb22f 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1432,6 +1432,16 @@ int ssl3_get_client_hello(SSL *s)
 	 * s->tmp.new_cipher	- the new cipher to use.
 	 */
 
+	/* Handles TLS extensions that we couldn't check earlier */
+	if (s->version >= SSL3_VERSION)
+		{
+		if (ssl_check_clienthello_tlsext_late(s) <= 0)
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
+			goto err;
+			}
+		}
+
 	if (ret < 0) ret=1;
 	if (0)
 		{
@@ -1704,8 +1714,8 @@ int ssl3_send_server_key_exchange(SSL *s)
 			ecdhp=cert->ecdh_tmp;
 			if (s->cert->ecdh_tmp_auto)
 				{
-				/* Get NID of first shared curve */
-				int nid = tls1_shared_curve(s, 0);
+				/* Get NID of appropriate shared curve */
+				int nid = tls1_shared_curve(s, -2);
 				if (nid != NID_undef)
 					ecdhp = EC_KEY_new_by_curve_name(nid);
 				}
@@ -3338,7 +3348,7 @@ int ssl3_get_client_certificate(SSL *s)
 		if (i <= 0)
 			{
 			al=ssl_verify_alarm_type(s->verify_result);
-			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
+			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
 			goto f_err;
 			}
 		}