From 7e5d2cb927223e2d6b747ecab3022cfb81b37b7f Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sun, 11 Sep 2022 18:13:30 +0000
Subject: Enforce the minimum TLS version requirement for QUIC.

ok tb@
---
 src/lib/libssl/ssl_versions.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
index 06e26b8059..4a58f14ccd 100644
--- a/src/lib/libssl/ssl_versions.c
+++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.23 2022/06/30 11:17:50 tb Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.24 2022/09/11 18:13:30 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -177,6 +177,14 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
 	    s->internal->min_tls_version, s->internal->max_tls_version))
 		return 0;
 
+	/* QUIC requires a minimum of TLSv1.3. */
+	if (SSL_is_quic(s)) {
+		if (max_version < TLS1_3_VERSION)
+			return 0;
+		if (min_version < TLS1_3_VERSION)
+			min_version = TLS1_3_VERSION;
+	}
+
 	if (min_ver != NULL)
 		*min_ver = min_version;
 	if (max_ver != NULL)
-- 
cgit v1.2.3-55-g6feb