From a49dcaedc471e79508b3e5674c538ca90f5c4e2e Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sun, 31 May 2020 16:36:35 +0000
Subject: Correct downgrade sentinels when a version pinned method is in use.

Previously only the enabled protocol versions were considered, however we
also have to consider the method in use which may be version pinned.

Found the hard way by danj@ with haproxy and force-tlsv12.

ok beck@ inoguchi@ tb@
---
 src/lib/libssl/ssl_clnt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/lib/libssl/ssl_clnt.c')

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index fb29e4f5f6..4d003466c4 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.67 2020/05/19 16:35:20 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.68 2020/05/31 16:36:35 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -873,7 +873,7 @@ ssl3_get_server_hello(SSL *s)
 	    sizeof(s->s3->server_random), NULL))
 		goto err;
 
-	if (!SSL_IS_DTLS(s) && !ssl_enabled_version_range(s, NULL, &max_version))
+	if (!ssl_downgrade_max_version(s, &max_version))
 		goto err;
 	if (!SSL_IS_DTLS(s) && max_version >= TLS1_2_VERSION &&
 	    s->version < max_version) {
-- 
cgit v1.2.3-55-g6feb