Correct downgrade sentinels when a version pinned method is in use.

Previously only the enabled protocol versions were considered, however we also have to consider the method in use which may be version pinned. Found the hard way by danj@ with haproxy and force-tlsv12. ok beck@ inoguchi@ tb@
author: jsing <jsing@openbsd.org> 2020-05-31 16:36:35 +0000
committer: jsing <jsing@openbsd.org> 2020-05-31 16:36:35 +0000
commit: 3231e218e51ca678e7830b1082f7a6f86157bec3 (patch)
tree: dd2ecb67a34fe950e909c18cf7c0311a0e3a3efb /lib/libssl/ssl_clnt.c
parent: Fix printing long doubles on architectures with hm and lm bits. (diff)
download: wireguard-openbsd-3231e218e51ca678e7830b1082f7a6f86157bec3.tar.xz
wireguard-openbsd-3231e218e51ca678e7830b1082f7a6f86157bec3.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index fb29e4f5f62..4d003466c48 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.67 2020/05/19 16:35:20 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.68 2020/05/31 16:36:35 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -873,7 +873,7 @@ ssl3_get_server_hello(SSL *s)
 	    sizeof(s->s3->server_random), NULL))
 		goto err;
 
-	if (!SSL_IS_DTLS(s) && !ssl_enabled_version_range(s, NULL, &max_version))
+	if (!ssl_downgrade_max_version(s, &max_version))
 		goto err;
 	if (!SSL_IS_DTLS(s) && max_version >= TLS1_2_VERSION &&
 	    s->version < max_version) {
author	jsing <jsing@openbsd.org>	2020-05-31 16:36:35 +0000
committer	jsing <jsing@openbsd.org>	2020-05-31 16:36:35 +0000
commit	3231e218e51ca678e7830b1082f7a6f86157bec3 (patch)
tree	dd2ecb67a34fe950e909c18cf7c0311a0e3a3efb /lib/libssl/ssl_clnt.c
parent	Fix printing long doubles on architectures with hm and lm bits. (diff)
download	wireguard-openbsd-3231e218e51ca678e7830b1082f7a6f86157bec3.tar.xz wireguard-openbsd-3231e218e51ca678e7830b1082f7a6f86157bec3.zip