9 files changed, 132 insertions, 128 deletions

diff --git a/src/lib/libssl/ssl_ciphers.c b/src/lib/libssl/ssl_ciphers.c
index 399e274ad4..85c60b1abb 100644
--- a/src/lib/libssl/ssl_ciphers.c
+++ b/src/lib/libssl/ssl_ciphers.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_ciphers.c,v 1.9 2020/09/15 15:28:38 schwarze Exp $ */
+/*      $OpenBSD: ssl_ciphers.c,v 1.10 2021/02/25 17:06:05 jsing Exp $ */
 /*
  * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
  * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org>
@@ -36,28 +36,17 @@ ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher)
 }
 
 int
-ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher, uint16_t min_ver,
+ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher, uint16_t min_ver,
     uint16_t max_ver)
 {
-        /* XXX: We only support DTLSv1 which is effectively TLSv1.1 */
-        if (min_ver == DTLS1_VERSION || max_ver == DTLS1_VERSION)
-                min_ver = max_ver = TLS1_1_VERSION;
-
         switch(cipher->algorithm_ssl) {
         case SSL_SSLV3:
-                if (min_ver <= TLS1_2_VERSION)
-                        return 1;
-                break;
+                return (min_ver <= TLS1_2_VERSION);
         case SSL_TLSV1_2:
-                if (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver)
-                        return 1;
-                break;
+                return (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver);
         case SSL_TLSV1_3:
-                if (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver)
-                        return 1;
-                break;
+                return (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver);
         }
-
         return 0;
 }
 
@@ -72,13 +61,13 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb)
         if (ciphers == NULL)
                 return 0;
 
-        if (!ssl_supported_version_range(s, &min_vers, &max_vers))
+        if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers))
                 return 0;
 
         for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
                 if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
                         return 0;
-                if (!ssl_cipher_allowed_in_version_range(cipher, min_vers,
+                if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
                     max_vers))
                         continue;
                 if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 33aca33c92..57d0f4b779 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.248 2021/02/20 14:14:16 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.249 2021/02/25 17:06:05 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -254,8 +254,8 @@ SSL_new(SSL_CTX *ctx)
         if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL)
                 goto err;
 
-        s->internal->min_version = ctx->internal->min_version;
-        s->internal->max_version = ctx->internal->max_version;
+        s->internal->min_tls_version = ctx->internal->min_tls_version;
+        s->internal->max_tls_version = ctx->internal->max_tls_version;
         s->internal->min_proto_version = ctx->internal->min_proto_version;
         s->internal->max_proto_version = ctx->internal->max_proto_version;
 
@@ -1336,7 +1336,7 @@ SSL_get1_supported_ciphers(SSL *s)
 
         if (s == NULL)
                 return NULL;
-        if (!ssl_supported_version_range(s, &min_vers, &max_vers))
+        if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers))
                 return NULL;
         if ((ciphers = SSL_get_ciphers(s)) == NULL)
                 return NULL;
@@ -1346,7 +1346,7 @@ SSL_get1_supported_ciphers(SSL *s)
         for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
                 if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
                         goto err;
-                if (!ssl_cipher_allowed_in_version_range(cipher, min_vers,
+                if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
                     max_vers))
                         continue;
                 if (!sk_SSL_CIPHER_push(supported_ciphers, cipher))
@@ -1829,8 +1829,8 @@ SSL_CTX_new(const SSL_METHOD *meth)
         }
 
         ret->method = meth;
-        ret->internal->min_version = meth->internal->min_version;
-        ret->internal->max_version = meth->internal->max_version;
+        ret->internal->min_tls_version = meth->internal->min_tls_version;
+        ret->internal->max_tls_version = meth->internal->max_tls_version;
         ret->internal->min_proto_version = 0;
         ret->internal->max_proto_version = 0;
         ret->internal->mode = SSL_MODE_AUTO_RETRY;
@@ -3027,7 +3027,7 @@ int
 SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version)
 {
         return ssl_version_set_min(ctx->method, version,
-            ctx->internal->max_version, &ctx->internal->min_version,
+            ctx->internal->max_tls_version, &ctx->internal->min_tls_version,
             &ctx->internal->min_proto_version);
 }
 
@@ -3041,7 +3041,7 @@ int
 SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version)
 {
         return ssl_version_set_max(ctx->method, version,
-            ctx->internal->min_version, &ctx->internal->max_version,
+            ctx->internal->min_tls_version, &ctx->internal->max_tls_version,
             &ctx->internal->max_proto_version);
 }
 
@@ -3055,7 +3055,7 @@ int
 SSL_set_min_proto_version(SSL *ssl, uint16_t version)
 {
         return ssl_version_set_min(ssl->method, version,
-            ssl->internal->max_version, &ssl->internal->min_version,
+            ssl->internal->max_tls_version, &ssl->internal->min_tls_version,
             &ssl->internal->min_proto_version);
 }
 int
@@ -3068,7 +3068,7 @@ int
 SSL_set_max_proto_version(SSL *ssl, uint16_t version)
 {
         return ssl_version_set_max(ssl->method, version,
-            ssl->internal->min_version, &ssl->internal->max_version,
+            ssl->internal->min_tls_version, &ssl->internal->max_tls_version,
             &ssl->internal->max_proto_version);
 }
 
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 3a4d318987..7ed3094c3e 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.322 2021/02/22 15:59:10 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.323 2021/02/25 17:06:05 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -362,8 +362,8 @@ typedef struct ssl_method_internal_st {
         int server;
         int version;
 
-        uint16_t min_version;
-        uint16_t max_version;
+        uint16_t min_tls_version;
+        uint16_t max_tls_version;
 
         int (*ssl_new)(SSL *s);
         void (*ssl_clear)(SSL *s);
@@ -517,8 +517,8 @@ int tls12_record_layer_seal_record(struct tls12_record_layer *rl,
     CBB *out);
 
 typedef struct ssl_ctx_internal_st {
-        uint16_t min_version;
-        uint16_t max_version;
+        uint16_t min_tls_version;
+        uint16_t max_tls_version;
 
         /*
          * These may be zero to imply minimum or maximum version supported by
@@ -686,8 +686,8 @@ typedef struct ssl_ctx_internal_st {
 typedef struct ssl_internal_st {
         struct tls13_ctx *tls13;
 
-        uint16_t min_version;
-        uint16_t max_version;
+        uint16_t min_tls_version;
+        uint16_t max_tls_version;
 
         /*
          * These may be zero to imply minimum or maximum version supported by
@@ -1121,19 +1121,19 @@ struct ssl_aead_ctx_st {
 extern const SSL_CIPHER ssl3_ciphers[];
 
 const char *ssl_version_string(int ver);
-int ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
-int ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
-int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver,
-    uint16_t *out_ver, uint16_t *out_proto_ver);
-int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver,
-    uint16_t *out_ver, uint16_t *out_proto_ver);
+int ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
+    uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver);
+int ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
+    uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver);
+int ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
+int ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
 int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver);
 int ssl_max_supported_version(SSL *s, uint16_t *max_ver);
 int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver);
 int ssl_check_version_from_server(SSL *s, uint16_t server_version);
 int ssl_legacy_stack_version(SSL *s, uint16_t version);
 int ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher);
-int ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher,
+int ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher,
     uint16_t min_ver, uint16_t max_ver);
 
 const SSL_METHOD *tls_legacy_method(void);
diff --git a/src/lib/libssl/ssl_methods.c b/src/lib/libssl/ssl_methods.c
index ae532ba16d..084f533f5e 100644
--- a/src/lib/libssl/ssl_methods.c
+++ b/src/lib/libssl/ssl_methods.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_methods.c,v 1.22 2021/02/20 08:33:17 jsing Exp $ */
+/* $OpenBSD: ssl_methods.c,v 1.23 2021/02/25 17:06:05 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -64,8 +64,8 @@ static const SSL_METHOD_INTERNAL DTLS_method_internal_data = {
         .dtls = 1,
         .server = 1,
         .version = DTLS1_2_VERSION,
-        .min_version = DTLS1_VERSION,
-        .max_version = DTLS1_2_VERSION,
+        .min_tls_version = TLS1_1_VERSION,
+        .max_tls_version = TLS1_2_VERSION,
         .ssl_new = dtls1_new,
         .ssl_clear = dtls1_clear,
         .ssl_free = dtls1_free,
@@ -93,8 +93,8 @@ static const SSL_METHOD_INTERNAL DTLS_client_method_internal_data = {
         .dtls = 1,
         .server = 0,
         .version = DTLS1_2_VERSION,
-        .min_version = DTLS1_VERSION,
-        .max_version = DTLS1_2_VERSION,
+        .min_tls_version = TLS1_1_VERSION,
+        .max_tls_version = TLS1_2_VERSION,
         .ssl_new = dtls1_new,
         .ssl_clear = dtls1_clear,
         .ssl_free = dtls1_free,
@@ -123,8 +123,8 @@ static const SSL_METHOD_INTERNAL DTLSv1_method_internal_data = {
         .dtls = 1,
         .server = 1,
         .version = DTLS1_VERSION,
-        .min_version = DTLS1_VERSION,
-        .max_version = DTLS1_VERSION,
+        .min_tls_version = TLS1_1_VERSION,
+        .max_tls_version = TLS1_1_VERSION,
         .ssl_new = dtls1_new,
         .ssl_clear = dtls1_clear,
         .ssl_free = dtls1_free,
@@ -152,8 +152,8 @@ static const SSL_METHOD_INTERNAL DTLSv1_client_method_internal_data = {
         .dtls = 1,
         .server = 0,
         .version = DTLS1_VERSION,
-        .min_version = DTLS1_VERSION,
-        .max_version = DTLS1_VERSION,
+        .min_tls_version = TLS1_1_VERSION,
+        .max_tls_version = TLS1_1_VERSION,
         .ssl_new = dtls1_new,
         .ssl_clear = dtls1_clear,
         .ssl_free = dtls1_free,
@@ -181,8 +181,8 @@ static const SSL_METHOD_INTERNAL DTLSv1_2_method_internal_data = {
         .dtls = 1,
         .server = 1,
         .version = DTLS1_2_VERSION,
-        .min_version = DTLS1_2_VERSION,
-        .max_version = DTLS1_2_VERSION,
+        .min_tls_version = TLS1_2_VERSION,
+        .max_tls_version = TLS1_2_VERSION,
         .ssl_new = dtls1_new,
         .ssl_clear = dtls1_clear,
         .ssl_free = dtls1_free,
@@ -210,8 +210,8 @@ static const SSL_METHOD_INTERNAL DTLSv1_2_client_method_internal_data = {
         .dtls = 1,
         .server = 0,
         .version = DTLS1_2_VERSION,
-        .min_version = DTLS1_2_VERSION,
-        .max_version = DTLS1_2_VERSION,
+        .min_tls_version = TLS1_2_VERSION,
+        .max_tls_version = TLS1_2_VERSION,
         .ssl_new = dtls1_new,
         .ssl_clear = dtls1_clear,
         .ssl_free = dtls1_free,
@@ -306,8 +306,8 @@ static const SSL_METHOD_INTERNAL TLS_method_internal_data = {
         .dtls = 0,
         .server = 1,
         .version = TLS1_3_VERSION,
-        .min_version = TLS1_VERSION,
-        .max_version = TLS1_3_VERSION,
+        .min_tls_version = TLS1_VERSION,
+        .max_tls_version = TLS1_3_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
@@ -336,8 +336,8 @@ static const SSL_METHOD_INTERNAL TLS_legacy_method_internal_data = {
         .dtls = 0,
         .server = 1,
         .version = TLS1_2_VERSION,
-        .min_version = TLS1_VERSION,
-        .max_version = TLS1_2_VERSION,
+        .min_tls_version = TLS1_VERSION,
+        .max_tls_version = TLS1_2_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
@@ -366,8 +366,8 @@ static const SSL_METHOD_INTERNAL TLS_client_method_internal_data = {
         .dtls = 0,
         .server = 0,
         .version = TLS1_3_VERSION,
-        .min_version = TLS1_VERSION,
-        .max_version = TLS1_3_VERSION,
+        .min_tls_version = TLS1_VERSION,
+        .max_tls_version = TLS1_3_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
@@ -397,8 +397,8 @@ static const SSL_METHOD_INTERNAL TLS_legacy_client_method_internal_data = {
         .dtls = 0,
         .server = 0,
         .version = TLS1_2_VERSION,
-        .min_version = TLS1_VERSION,
-        .max_version = TLS1_2_VERSION,
+        .min_tls_version = TLS1_VERSION,
+        .max_tls_version = TLS1_2_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
@@ -427,8 +427,8 @@ static const SSL_METHOD_INTERNAL TLSv1_method_internal_data = {
         .dtls = 0,
         .server = 1,
         .version = TLS1_VERSION,
-        .min_version = TLS1_VERSION,
-        .max_version = TLS1_VERSION,
+        .min_tls_version = TLS1_VERSION,
+        .max_tls_version = TLS1_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
@@ -456,8 +456,8 @@ static const SSL_METHOD_INTERNAL TLSv1_client_method_internal_data = {
         .dtls = 0,
         .server = 0,
         .version = TLS1_VERSION,
-        .min_version = TLS1_VERSION,
-        .max_version = TLS1_VERSION,
+        .min_tls_version = TLS1_VERSION,
+        .max_tls_version = TLS1_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
@@ -485,8 +485,8 @@ static const SSL_METHOD_INTERNAL TLSv1_1_method_internal_data = {
         .dtls = 0,
         .server = 1,
         .version = TLS1_1_VERSION,
-        .min_version = TLS1_1_VERSION,
-        .max_version = TLS1_1_VERSION,
+        .min_tls_version = TLS1_1_VERSION,
+        .max_tls_version = TLS1_1_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
@@ -514,8 +514,8 @@ static const SSL_METHOD_INTERNAL TLSv1_1_client_method_internal_data = {
         .dtls = 0,
         .server = 0,
         .version = TLS1_1_VERSION,
-        .min_version = TLS1_1_VERSION,
-        .max_version = TLS1_1_VERSION,
+        .min_tls_version = TLS1_1_VERSION,
+        .max_tls_version = TLS1_1_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
@@ -543,8 +543,8 @@ static const SSL_METHOD_INTERNAL TLSv1_2_method_internal_data = {
         .dtls = 0,
         .server = 1,
         .version = TLS1_2_VERSION,
-        .min_version = TLS1_2_VERSION,
-        .max_version = TLS1_2_VERSION,
+        .min_tls_version = TLS1_2_VERSION,
+        .max_tls_version = TLS1_2_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
@@ -572,8 +572,8 @@ static const SSL_METHOD_INTERNAL TLSv1_2_client_method_internal_data = {
         .dtls = 0,
         .server = 0,
         .version = TLS1_2_VERSION,
-        .min_version = TLS1_2_VERSION,
-        .max_version = TLS1_2_VERSION,
+        .min_tls_version = TLS1_2_VERSION,
+        .max_tls_version = TLS1_2_VERSION,
         .ssl_new = tls1_new,
         .ssl_clear = tls1_clear,
         .ssl_free = tls1_free,
diff --git a/src/lib/libssl/ssl_packet.c b/src/lib/libssl/ssl_packet.c
index fc1c3c07de..b383fe83e9 100644
--- a/src/lib/libssl/ssl_packet.c
+++ b/src/lib/libssl/ssl_packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_packet.c,v 1.9 2020/10/14 16:57:33 jsing Exp $ */
+/* $OpenBSD: ssl_packet.c,v 1.10 2021/02/25 17:06:05 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -247,12 +247,13 @@ ssl_server_legacy_first_packet(SSL *s)
                 return 1;
 
         /* Only continue if this is not a version locked method. */
-        if (s->method->internal->min_version == s->method->internal->max_version)
+        if (s->method->internal->min_tls_version ==
+            s->method->internal->max_tls_version)
                 return 1;
 
         if (ssl_is_sslv2_client_hello(&header) == 1) {
                 /* Only permit SSLv2 client hellos if TLSv1.0 is enabled. */
-                if (ssl_enabled_version_range(s, &min_version, NULL) != 1) {
+                if (ssl_enabled_tls_version_range(s, &min_version, NULL) != 1) {
                         SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
                         return -1;
                 }
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
index 3c4801971e..a216de6e81 100644
--- a/src/lib/libssl/ssl_versions.c
+++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.12 2021/02/22 15:59:10 jsing Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.13 2021/02/25 17:06:05 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -18,7 +18,7 @@
 #include "ssl_locl.h"
 
 static int
-ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver,
+ssl_clamp_tls_version_range(uint16_t *min_ver, uint16_t *max_ver,
     uint16_t clamp_min, uint16_t clamp_max)
 {
         if (clamp_min > clamp_max || *min_ver > *max_ver)
@@ -35,55 +35,71 @@ ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver,
 }
 
 int
-ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver,
-    uint16_t *out_ver, uint16_t *out_proto_ver)
+ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
+    uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
 {
         uint16_t min_version, max_version;
 
-        if (ver == 0) {
-                *out_ver = meth->internal->min_version;
+        if (proto_ver == 0) {
+                *out_tls_ver = meth->internal->min_tls_version;
                 *out_proto_ver = 0;
                 return 1;
         }
+        if (meth->internal->dtls) {
+                if (proto_ver != DTLS1_VERSION)
+                        return 0;
+                *out_tls_ver = TLS1_1_VERSION;
+                *out_proto_ver = proto_ver;
+                return 1;
+        }
 
-        min_version = ver;
-        max_version = max_ver;
+        min_version = proto_ver;
+        max_version = max_tls_ver;
 
-        if (!ssl_clamp_version_range(&min_version, &max_version,
-            meth->internal->min_version, meth->internal->max_version))
+        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
+            meth->internal->min_tls_version, meth->internal->max_tls_version))
                 return 0;
 
-        *out_ver = *out_proto_ver = min_version;
+        *out_tls_ver = min_version;
+        *out_proto_ver = min_version;
 
         return 1;
 }
 
 int
-ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver,
-    uint16_t *out_ver, uint16_t *out_proto_ver)
+ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
+    uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
 {
         uint16_t min_version, max_version;
 
-        if (ver == 0) {
-                *out_ver = meth->internal->max_version;
+        if (proto_ver == 0) {
+                *out_tls_ver = meth->internal->max_tls_version;
                 *out_proto_ver = 0;
                 return 1;
         }
+        if (meth->internal->dtls) {
+                if (proto_ver != DTLS1_VERSION)
+                        return 0;
+                *out_tls_ver = TLS1_1_VERSION;
+                *out_proto_ver = proto_ver;
+                return 1;
+        }
 
-        min_version = min_ver;
-        max_version = ver;
+        min_version = min_tls_ver;
+        max_version = proto_ver;
 
-        if (!ssl_clamp_version_range(&min_version, &max_version,
-            meth->internal->min_version, meth->internal->max_version))
+        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
+            meth->internal->min_tls_version, meth->internal->max_tls_version))
                 return 0;
 
-        *out_ver = *out_proto_ver = max_version;
+        *out_tls_ver = max_version;
+        *out_proto_ver = max_version;
 
         return 1;
 }
 
 int
-ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
+ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
 {
         uint16_t min_version, max_version;
 
@@ -121,8 +137,8 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
                 return 0;
 
         /* Limit to configured version range. */
-        if (!ssl_clamp_version_range(&min_version, &max_version,
-            s->internal->min_version, s->internal->max_version))
+        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
+            s->internal->min_tls_version, s->internal->max_tls_version))
                 return 0;
 
         if (min_ver != NULL)
@@ -134,26 +150,19 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
 }
 
 int
-ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
+ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
 {
         uint16_t min_version, max_version;
 
-        /* DTLS cannot currently be disabled... */
-        if (SSL_is_dtls(s)) {
-                min_version = max_version = DTLS1_VERSION;
-                goto done;
-        }
-
-        if (!ssl_enabled_version_range(s, &min_version, &max_version))
+        if (!ssl_enabled_tls_version_range(s, &min_version, &max_version))
                 return 0;
 
         /* Limit to the versions supported by this method. */
-        if (!ssl_clamp_version_range(&min_version, &max_version,
-            s->method->internal->min_version,
-            s->method->internal->max_version))
+        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
+            s->method->internal->min_tls_version,
+            s->method->internal->max_tls_version))
                 return 0;
 
- done:
         if (min_ver != NULL)
                 *min_ver = min_version;
         if (max_ver != NULL)
@@ -167,7 +176,12 @@ ssl_max_supported_version(SSL *s, uint16_t *max_ver)
 {
         *max_ver = 0;
 
-        if (!ssl_supported_version_range(s, NULL, max_ver))
+        if (SSL_is_dtls(s)) {
+                *max_ver = DTLS1_VERSION;
+                return 1;
+        }
+
+        if (!ssl_supported_tls_version_range(s, NULL, max_ver))
                 return 0;
 
         return 1;
@@ -199,7 +213,7 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver)
         else
                 return 0;
 
-        if (!ssl_supported_version_range(s, &min_version, &max_version))
+        if (!ssl_supported_tls_version_range(s, &min_version, &max_version))
                 return 0;
 
         if (shared_version < min_version)
@@ -232,12 +246,12 @@ ssl_downgrade_max_version(SSL *s, uint16_t *max_ver)
                 return 1;
         }
 
-        if (!ssl_enabled_version_range(s, &min_version, &max_version))
+        if (!ssl_enabled_tls_version_range(s, &min_version, &max_version))
                 return 0;
 
-        if (!ssl_clamp_version_range(&min_version, &max_version,
-            s->ctx->method->internal->min_version,
-            s->ctx->method->internal->max_version))
+        if (!ssl_clamp_tls_version_range(&min_version, &max_version,
+            s->ctx->method->internal->min_tls_version,
+            s->ctx->method->internal->max_tls_version))
                 return 0;
 
         *max_ver = max_version;
@@ -255,7 +269,7 @@ ssl_check_version_from_server(SSL *s, uint16_t server_version)
         if (SSL_is_dtls(s))
                 return (server_version == DTLS1_VERSION);
 
-        if (!ssl_supported_version_range(s, &min_version, &max_version))
+        if (!ssl_supported_tls_version_range(s, &min_version, &max_version))
                 return 0;
 
         return (server_version >= min_version && server_version <= max_version);
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index fbb84dcc87..a7c3bf2c00 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.72 2021/02/22 16:15:49 tb Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.73 2021/02/25 17:06:05 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -31,7 +31,7 @@ tls13_client_init(struct tls13_ctx *ctx)
         size_t groups_len;
         SSL *s = ctx->ssl;
 
-        if (!ssl_supported_version_range(s, &ctx->hs->min_version,
+        if (!ssl_supported_tls_version_range(s, &ctx->hs->min_version,
             &ctx->hs->max_version)) {
                 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
                 return 0;
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
index bacd11b950..f611aa061d 100644
--- a/src/lib/libssl/tls13_legacy.c
+++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_legacy.c,v 1.21 2021/01/07 16:26:31 tb Exp $ */
+/*      $OpenBSD: tls13_legacy.c,v 1.22 2021/02/25 17:06:05 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -359,7 +359,7 @@ tls13_use_legacy_client(struct tls13_ctx *ctx)
                 return 0;
 
         s->internal->handshake_func = s->method->internal->ssl_connect;
-        s->client_version = s->version = s->method->internal->max_version;
+        s->client_version = s->version = s->method->internal->max_tls_version;
 
         S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
 
@@ -375,7 +375,7 @@ tls13_use_legacy_server(struct tls13_ctx *ctx)
                 return 0;
 
         s->internal->handshake_func = s->method->internal->ssl_accept;
-        s->client_version = s->version = s->method->internal->max_version;
+        s->client_version = s->version = s->method->internal->max_tls_version;
         s->server = 1;
 
         S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 0b079c1d83..715066fb59 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.69 2021/01/09 10:41:48 tb Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.70 2021/02/25 17:06:05 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -29,7 +29,7 @@ tls13_server_init(struct tls13_ctx *ctx)
 {
         SSL *s = ctx->ssl;
 
-        if (!ssl_supported_version_range(s, &ctx->hs->min_version,
+        if (!ssl_supported_tls_version_range(s, &ctx->hs->min_version,
             &ctx->hs->max_version)) {
                 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
                 return 0;