Retry callback only after ClientHello received.

[openssl.git] / ssl / s23_srvr.c

diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 48778490135eb01130dcf009c3dda7534ffb341b..9d47c22cb86e98f70e57611a26caae9a6ba9a4ac 100644 (file)
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -425,6 +425,13 @@ int ssl23_get_client_hello(SSL *s)
                        }
                }
 
+       if (s->version < TLS1_2_VERSION && tls1_suiteb(s))
+               {
+               SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
+                               SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
+               goto err;
+               }
+
 #ifdef OPENSSL_FIPS
        if (FIPS_mode() && (s->version < TLS1_VERSION))
                {