Add checks to ensure we do not initiate or negotiate handshakes with

versions below the minimum required by the security level.

input & ok jsing

1 files changed, 9 insertions, 3 deletions

diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
index 4069670dc9..06e26b8059 100644
--- a/src/lib/libssl/ssl_versions.c
+++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.22 2022/02/05 14:54:10 jsing Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.23 2022/06/30 11:17:50 tb Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -329,6 +329,9 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver)
                         return 0;
         }
 
+        if (!ssl_security_version(s, shared_version))
+                return 0;
+
         *max_ver = shared_version;
 
         return 1;
@@ -352,8 +355,11 @@ ssl_check_version_from_server(SSL *s, uint16_t server_version)
             &max_tls_version))
                 return 0;
 
-        return (server_tls_version >= min_tls_version &&
-            server_tls_version <= max_tls_version);
+        if (server_tls_version < min_tls_version ||
+            server_tls_version > max_tls_version)
+                return 0;
+
+        return ssl_security_version(s, server_tls_version);
 }
 
 int