Don't set client_version to the ServerHello version.

The client_version needs to be preserved for the RSA key exchange.

This change also means that renegotiation will, like TLS, repeat the old
client_version rather than advertise only the final version. (Either way,
version change on renego is not allowed.) This is necessary in TLS to work
around an SChannel bug, but it's not strictly necessary in DTLS.

(From BoringSSL)

Reviewed-by: Emilia Käsper <emilia@openssl.org>

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index e178fe12ad3971280577467f6365bfb7a6833b91..1aff83318436271ff4b836e0707e200a1c231544 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -944,7 +944,7 @@ int ssl3_get_server_hello(SSL *s)
                        al = SSL_AD_PROTOCOL_VERSION;
                        goto f_err;
                        }
-               s->version = s->client_version = s->method->version;
+               s->version = s->method->version;
                }
 
        if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))