- /*
- * Since TLS 1.3 ciphersuites can be used with any auth or
- * key exchange scheme skip tests.
- */
- if (!SSL_IS_TLS13(s)) {
+
+ if (SSL_IS_TLS13(s)) {
+ /*
+ * We must choose a ciphersuite that has a digest compatible with
+ * the session, unless we're going to do an HRR in which case we
+ * will just choose our most preferred ciphersuite regardless of
+ * whether it is compatible with the session or not.
+ */
+ if (s->hit
+ && !s->hello_retry_request
+ && ssl_md(c->algorithm2)
+ != ssl_md(s->session->cipher->algorithm2))
+ continue;
+ } else {
+ /*
+ * These tests do not apply to TLS 1.3 ciphersuites because they can
+ * be used with any auth or key exchange scheme.
+ */