diff options
| author |   jsing <jsing@openbsd.org> | 2020-01-26 07:24:47 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2020-01-26 07:24:47 +0000 |
| commit | 3fafa71a3b73b1cac42f2091764fa903368bf5d8 (patch) | |
| tree | e18b7383f690d9c30993d2303384aa2990ad62f9 /lib/libssl/ssl_lib.c | |
| parent | When switching back to a legacy client or server, ensure we reset the (diff) | |
| download | wireguard-openbsd-3fafa71a3b73b1cac42f2091764fa903368bf5d8.tar.xz wireguard-openbsd-3fafa71a3b73b1cac42f2091764fa903368bf5d8.zip | |
When an SSL method is set, bump the max version back to that of the
incoming method if it is a client.
This addresses the case where TLS_method() is used to initialise a SSL_CTX,
then a TLS_client_method() is then set, resulting in TLSv1.2 being used
instead of TLSv1.3. This is observable in smtpd.
ok beck@
Diffstat (limited to 'lib/libssl/ssl_lib.c')
| -rw-r--r-- | lib/libssl/ssl_lib.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index a6bdfaa4a10..a5a79d76bc0 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.210 2020/01/23 10:40:59 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.211 2020/01/26 07:24:47 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2240,6 +2240,15 @@ SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth) ret = s->method->internal->ssl_new(s); } + /* + * XXX - reset the client max version to that of the incoming + * method, otherwise a caller that uses a TLS_method() and then + * sets with TLS_client_method() cannot do TLSv1.3. + */ + if (meth->internal->max_version == TLS1_3_VERSION && + meth->internal->ssl_connect != NULL) + s->internal->max_version = meth->internal->max_version; + if (conn == 1) s->internal->handshake_func = meth->internal->ssl_connect; else if (conn == 0) |