Do not print extensions in Certificate message for TLS1.2 and lower
authorDaniil Zotkin <zotkin@rutoken.ru>
Tue, 24 Sep 2019 08:08:23 +0000 (11:08 +0300)
committerPauli <paul.dale@oracle.com>
Thu, 3 Oct 2019 00:29:49 +0000 (10:29 +1000)
According to RFC8446 CertificateEntry in Certificate message contains
extensions that were not present in the Certificate message in RFC5246.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9994)

ssl/t1_trce.c

index a2cb4f7..c55c172 100644 (file)
@@ -1242,8 +1242,9 @@ static int ssl_print_certificates(BIO *bio, const SSL *ssl, int server,
     while (clen > 0) {
         if (!ssl_print_certificate(bio, indent + 2, &msg, &clen))
             return 0;
     while (clen > 0) {
         if (!ssl_print_certificate(bio, indent + 2, &msg, &clen))
             return 0;
-        if (!ssl_print_extensions(bio, indent + 2, server, SSL3_MT_CERTIFICATE,
-                                  &msg, &clen))
+        if (SSL_IS_TLS13(ssl)
+            && !ssl_print_extensions(bio, indent + 2, server,
+                                     SSL3_MT_CERTIFICATE, &msg, &clen))
             return 0;
 
     }
             return 0;
 
     }