From b640c5f7f1ee7bfdfee44d5c84459dfb76f880d9 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Sun, 17 Nov 2019 00:16:58 +0000
Subject: Drop back to the legacy tls method if we are doing client
 authenticaiton from a tls 1.3 connection, for now.

ok jsing@
---
 src/lib/libssl/tls13_client.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index a9f1b6bbd5..e092e7f811 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.16 2019/04/05 20:23:38 tb Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.17 2019/11/17 00:16:58 beck Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -63,6 +63,12 @@ tls13_legacy_connect(SSL *ssl)
 	struct tls13_ctx *ctx = ssl->internal->tls13;
 	int ret;
 
+	/* XXX drop back to legacy for client auth for now */
+	if (ssl->cert->key != NULL) {
+		ssl->method = tls_legacy_client_method();
+		return ssl->method->internal->ssl_connect(ssl);
+	}
+
 	if (ctx == NULL) {
 		if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) {
 			SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
-- 
cgit v1.2.3-55-g6feb