1 files changed, 5 insertions, 5 deletions

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 797eb84001..0ed53f7ab2 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.89 2021/03/29 16:46:09 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.90 2021/04/22 18:27:53 tb Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -2105,6 +2105,10 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
                             CBS_len(&extension_data),
                             s->internal->tlsext_debug_arg);
 
+                /* Unknown extensions are ignored. */
+                if ((tlsext = tls_extension_find(type, &idx)) == NULL)
+                        continue;
+
                 if (tls_version >= TLS1_3_VERSION && is_server &&
                     msg_type == SSL_TLSEXT_MSG_CH) {
                         if (!tlsext_clienthello_hash_extension(s, type,
@@ -2112,10 +2116,6 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
                                 goto err;
                 }
 
-                /* Unknown extensions are ignored. */
-                if ((tlsext = tls_extension_find(type, &idx)) == NULL)
-                        continue;
-
                 /* RFC 8446 Section 4.2 */
                 if (tls_version >= TLS1_3_VERSION &&
                     !(tlsext->messages & msg_type)) {