X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_clnt.c;h=b6345b5fa82b596022d889fa75728711d19714b1;hp=812af8cb5ade1689447a1e22ae3aecfd4332444d;hb=b7bfe69b665e0215daf7715adddd7fc7a4b2b63e;hpb=5180f57c65ac0ccf4a466fc5e670b76c883e8fa2;ds=sidebyside

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 812af8cb5a..b6345b5fa8 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -837,6 +837,7 @@ int ssl3_get_server_hello(SSL *s)
 	{
 	STACK_OF(SSL_CIPHER) *sk;
 	const SSL_CIPHER *c;
+	CERT *ct = s->cert;
 	unsigned char *p,*d;
 	int i,al=SSL_AD_INTERNAL_ERROR,ok;
 	unsigned int j;
@@ -959,9 +960,12 @@ int ssl3_get_server_hello(SSL *s)
 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
 		goto f_err;
 		}
-	/* TLS v1.2 only ciphersuites require v1.2 or later */
-	if ((c->algorithm_ssl & SSL_TLSV1_2) && 
-		(TLS1_get_version(s) < TLS1_2_VERSION))
+	/* If it is a disabled cipher we didn't send it in client hello,
+	 * so return an error.
+	 */
+	if (c->algorithm_ssl & ct->mask_ssl ||
+		c->algorithm_mkey & ct->mask_k ||
+		c->algorithm_auth & ct->mask_a)
 		{
 		al=SSL_AD_ILLEGAL_PARAMETER;
 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);