The legacy_record_version must be set to TLS1_2_VERSION except

in the ClientHello where it may be set to TLS1_VERSION.  Use
the minimal supported version to decide whether we choose to do
so or not. Use a sent hook to set it back TLS1_2_VERSION right
after the ClientHello message is on the wire.

ok beck jsing

1 files changed, 12 insertions, 1 deletions

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index ed9a69918a..e0041eadae 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.23 2020/01/22 02:21:05 beck Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.24 2020/01/22 02:39:45 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -199,6 +199,9 @@ tls13_client_hello_send(struct tls13_ctx *ctx)
 {
         CBB body;
 
+        if (ctx->hs->min_version < TLS1_2_VERSION)
+                tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
+
         if (!tls13_handshake_msg_start(ctx->hs_msg, &body, TLS13_MT_CLIENT_HELLO))
                 return 0;
         if (!tls13_client_hello_build(ctx->ssl, &body))
@@ -209,6 +212,14 @@ tls13_client_hello_send(struct tls13_ctx *ctx)
         return 1;
 }
 
+int
+tls13_client_hello_sent(struct tls13_ctx *ctx)
+{
+        tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION);
+
+        return 1;
+}
+
 /*
  * HelloRetryRequest hash - RFC 8446 section 4.1.3.
  */