Reject TLS 1.2 ciphersuites if not allowed.

author Dr. Stephen Henson <steve@openssl.org>

Sun, 8 Nov 2015 13:47:53 +0000 (13:47 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Sun, 8 Nov 2015 13:47:53 +0000 (13:47 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Sun, 8 Nov 2015 13:47:53 +0000 (13:47 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Sun, 8 Nov 2015 13:47:53 +0000 (13:47 +0000)
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c

index c5e0e36f3d20c468388111df3060c9465434b182..3911c3d5d0deab2dec8ea3efc67106f27b7d6e76 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1050,6 +1050,11 @@ int ssl3_get_server_hello(SSL *s)
          SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED);
          goto f_err;
      }
+    /* Set version disabled mask now we know version */
+    if (!SSL_USE_TLS1_2_CIPHERS(s))
+        ct->mask_ssl = SSL_TLSV1_2;
+    else
+        ct->mask_ssl = 0;
      /*
       * If it is a disabled cipher we didn't send it in client hello, so
       * return an error.
author	Dr. Stephen Henson <steve@openssl.org>
	Sun, 8 Nov 2015 13:47:53 +0000 (13:47 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Sun, 8 Nov 2015 13:47:53 +0000 (13:47 +0000)