use client version when eliminating TLS v1.2 ciphersuites in client hello
authorDr. Stephen Henson <steve@openssl.org>
Fri, 7 Oct 2011 15:07:36 +0000 (15:07 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 7 Oct 2011 15:07:36 +0000 (15:07 +0000)
ssl/ssl_lib.c
ssl/tls1.h

index 4ebdde2fa394875906a4fa31ee4c180f7bce8b3a..ee84bb78d87e155cb1c12a1456c1c346bc53b796 100644 (file)
@@ -1371,7 +1371,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
                c=sk_SSL_CIPHER_value(sk,i);
                /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */
                if ((c->algorithm_ssl & SSL_TLSV1_2) && 
-                       (TLS1_get_version(s) < TLS1_2_VERSION))
+                       (TLS1_get_client_version(s) < TLS1_2_VERSION))
                        continue;
 #ifndef OPENSSL_NO_KRB5
                if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) &&
index ef5d5ef357375c86e59bf120ea2f0c0c7bd8f0e4..75ddfcad8dd5c0665291037e13a57632cfa47411 100644 (file)
@@ -174,6 +174,9 @@ extern "C" {
 #define TLS1_get_version(s) \
                ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0)
 
+#define TLS1_get_client_version(s) \
+               ((s->client_version >> 8) == TLS1_VERSION_MAJOR ? s->client_version : 0)
+
 #define TLS1_AD_DECRYPTION_FAILED      21
 #define TLS1_AD_RECORD_OVERFLOW                22
 #define TLS1_AD_UNKNOWN_CA             48      /* fatal */