From 28b584ddd2d0a41bceacbb1c350d790e3a39cd75 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Mon, 11 May 2020 17:49:46 +0000
Subject: Set the record layer legacy version from the TLSv1.3 server.

This will be used to handle record version checks.

ok tb@
---
 src/lib/libssl/tls13_server.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 1c286f573e..ec612df90e 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.44 2020/05/11 17:23:35 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.45 2020/05/11 17:49:46 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -37,6 +37,8 @@ tls13_server_init(struct tls13_ctx *ctx)
 	if (!ssl_get_new_session(s, 0)) /* XXX */
 		return 0;
 
+	tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
+
 	if (!tls1_transcript_init(s))
 		return 0;
 
@@ -183,6 +185,8 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
 	if (s->method->internal->version < TLS1_3_VERSION)
 		return 1;
 
+	tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION);
+
 	/*
 	 * If a matching key share was provided, we do not need to send a
 	 * HelloRetryRequest.
-- 
cgit v1.2.3-55-g6feb