Correct downgrade sentinels when a version pinned method is in use.

Previously only the enabled protocol versions were considered, however we also have to consider the method in use which may be version pinned. Found the hard way by danj@ with haproxy and force-tlsv12. ok beck@ inoguchi@ tb@
author: jsing <> 2020-05-31 16:36:35 +0000
committer: jsing <> 2020-05-31 16:36:35 +0000
commit: a49dcaedc471e79508b3e5674c538ca90f5c4e2e (patch)
tree: 1ce257d0fa239a96e7594d053190347cb2b42c4a /src/lib/libssl/ssl_clnt.c
parent: f05dbe69dd53b7d5eabcdb912115a58a46ab676a (diff)
download: openbsd-a49dcaedc471e79508b3e5674c538ca90f5c4e2e.tar.gz
openbsd-a49dcaedc471e79508b3e5674c538ca90f5c4e2e.tar.bz2
openbsd-a49dcaedc471e79508b3e5674c538ca90f5c4e2e.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index fb29e4f5f6..4d003466c4 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.67 2020/05/19 16:35:20 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.68 2020/05/31 16:36:35 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -873,7 +873,7 @@ ssl3_get_server_hello(SSL *s)
            sizeof(s->s3->server_random), NULL))
                goto err;
-        if (!SSL_IS_DTLS(s) && !ssl_enabled_version_range(s, NULL, &max_version))
+        if (!ssl_downgrade_max_version(s, &max_version))
                goto err;
        if (!SSL_IS_DTLS(s) && max_version >= TLS1_2_VERSION &&
            s->version < max_version) {
author	jsing <>	2020-05-31 16:36:35 +0000
committer	jsing <>	2020-05-31 16:36:35 +0000
commit	a49dcaedc471e79508b3e5674c538ca90f5c4e2e (patch)
tree	1ce257d0fa239a96e7594d053190347cb2b42c4a /src/lib/libssl/ssl_clnt.c
parent	f05dbe69dd53b7d5eabcdb912115a58a46ab676a (diff)
download	openbsd-a49dcaedc471e79508b3e5674c538ca90f5c4e2e.tar.gz openbsd-a49dcaedc471e79508b3e5674c538ca90f5c4e2e.tar.bz2 openbsd-a49dcaedc471e79508b3e5674c538ca90f5c4e2e.zip

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index fb29e4f5f6..4d003466c4 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_clnt.c,v 1.67 2020/05/19 16:35:20 jsing Exp $ */	1	/* $OpenBSD: ssl_clnt.c,v 1.68 2020/05/31 16:36:35 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -873,7 +873,7 @@ ssl3_get_server_hello(SSL *s)
873	sizeof(s->s3->server_random), NULL))	873	sizeof(s->s3->server_random), NULL))
874	goto err;	874	goto err;
875		875
876	if (!SSL_IS_DTLS(s) && !ssl_enabled_version_range(s, NULL, &max_version))	876	if (!ssl_downgrade_max_version(s, &max_version))
877	goto err;	877	goto err;
878	if (!SSL_IS_DTLS(s) && max_version >= TLS1_2_VERSION &&	878	if (!SSL_IS_DTLS(s) && max_version >= TLS1_2_VERSION &&
879	s->version < max_version) {	879	s->version < max_version) {