From f6ec5bc3dcc9fa827f0aa4e61d3f864d41202d94 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Wed, 13 May 2020 17:53:15 +0000 Subject: Switch back to the legacy stack where the maximum is less than TLSv1.3. This allows a server configured to only support TLSv1.2 and earlier, to correctly handle connections from a TLSv1.3 capable client. Issue reported by pvk@ ok inoguchi@ tb@ --- src/lib/libssl/tls13_server.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/lib/libssl/tls13_server.c') diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index ec612df90e..cd5f19afeb 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.45 2020/05/11 17:49:46 jsing Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.46 2020/05/13 17:53:15 jsing Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing * Copyright (c) 2020 Bob Beck @@ -115,7 +115,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) goto err; - if (tls13_client_hello_is_legacy(cbs)) { + if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) { if (!CBS_skip(cbs, CBS_len(cbs))) goto err; return tls13_use_legacy_server(ctx); -- cgit v1.2.3-55-g6feb