handshake: check inappropriate fallback against the configured max version

That allows to operate on a server which is explicitly configured to
utilize earlier than TLS 1.2 versions.

diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index 5c2c64ba24038f194c4f6605595ce6d597e65b0e..3a2631f92103c1d89269d4341c94d75cbb37ecc6 100644 (file)
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -927,13 +927,13 @@ _gnutls_server_select_suite(gnutls_session_t session, uint8_t * data,
                /* TLS_FALLBACK_SCSV */
                if (data[i] == GNUTLS_FALLBACK_SCSV_MAJOR &&
                    data[i + 1] == GNUTLS_FALLBACK_SCSV_MINOR) {
+                       unsigned max = _gnutls_version_max(session);
                        _gnutls_handshake_log
                            ("HSK[%p]: Received fallback CS\n",
                             session);
 
-                       if (gnutls_protocol_get_version(session) !=
-                           GNUTLS_TLS_VERSION_MAX)
-                               return GNUTLS_E_INAPPROPRIATE_FALLBACK;
+                       if (gnutls_protocol_get_version(session) != max)
+                               return gnutls_assert_val(GNUTLS_E_INAPPROPRIATE_FALLBACK);
                }
        }