/* SSLfatal() already called */
goto err;
}
-#ifdef SSL_DEBUG
- fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
-#endif
} else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
ERR_R_INTERNAL_ERROR);
goto err;
}
+#ifdef SSL_DEBUG
+ if (SSL_USE_SIGALGS(s))
+ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
+#endif
+
/* Check for broken implementations of GOST ciphersuites */
/*
* If key is GOST and len is exactly 64 or 128, it is signature without
unsigned int best_vers = 0;
const SSL_METHOD *best_method = NULL;
PACKET versionslist;
- /* TODO(TLS1.3): Remove this before release */
- unsigned int orig_candidate = 0;
suppversions->parsed = 1;
return SSL_R_BAD_LEGACY_VERSION;
while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
- /* TODO(TLS1.3): Remove this before release */
- if (candidate_vers == TLS1_3_VERSION_DRAFT
- || candidate_vers == TLS1_3_VERSION_DRAFT_27
- || candidate_vers == TLS1_3_VERSION_DRAFT_26) {
- if (best_vers == TLS1_3_VERSION
- && orig_candidate > candidate_vers)
- continue;
- orig_candidate = candidate_vers;
- candidate_vers = TLS1_3_VERSION;
- } else if (candidate_vers == TLS1_3_VERSION) {
- /* Don't actually accept real TLSv1.3 */
- continue;
- }
- /*
- * TODO(TLS1.3): There is some discussion on the TLS list about
- * whether to ignore versions <TLS1.2 in supported_versions. At the
- * moment we honour them if present. To be reviewed later
- */
if (version_cmp(s, candidate_vers, best_vers) <= 0)
continue;
if (ssl_version_supported(s, candidate_vers, &best_method))
}
check_for_downgrade(s, best_vers, dgrd);
s->version = best_vers;
- /* TODO(TLS1.3): Remove this before release */
- if (best_vers == TLS1_3_VERSION)
- s->version_draft = orig_candidate;
s->method = best_method;
return 0;
}
if (highver != 0 && s->version != vent->version)
continue;
+ if (highver == 0 && (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) != 0)
+ highver = vent->version;
+
method = vent->cmeth();
err = ssl_method_error(s, method);
if (err != 0) {
if (s->version != vent->version)
continue;
-#ifndef OPENSSL_NO_TLS13DOWNGRADE
/* Check for downgrades */
if (s->version == TLS1_2_VERSION && highver > s->version) {
if (memcmp(tls12downgrade,
return 0;
}
}
-#endif
s->method = method;
return 1;