]> git.ipfire.org Git - thirdparty/openssl.git/blobdiff - ssl/statem/statem_clnt.c
projects / thirdparty / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add a test for the supported_versions extension
[thirdparty/openssl.git] / ssl / statem / statem_clnt.c
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 6a05b9dd240466b04b3c45ebe296eab7fb45c36b..b8bca0e4dcbee143a4f5ff4e42b725717104acdc 100644 (file)
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -779,8 +779,13 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
      * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
      * client_version in client hello and not resetting it to
      * the negotiated version.
+     *
+     * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the
+     * supported_versions extension for the reall supported versions.
      */
-    if (!WPACKET_put_bytes_u16(pkt, s->client_version)
+    if (!WPACKET_put_bytes_u16(pkt,
+                (!SSL_IS_DTLS(s) && s->client_version >= TLS1_3_VERSION)
+                ? TLS1_2_VERSION : s->client_version)
             || !WPACKET_memcpy(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)) {
         SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
         return 0;
A mirror of the official openssl repository