From f0d432029321083529b36d45280f5308ff8bf24f Mon Sep 17 00:00:00 2001
From: tb <>
Date: Wed, 15 May 2019 19:25:15 +0000
Subject: In DTLS, use_srtp is part of the extended server hello while in
 TLSv1.3, it is an encrypted extension.  Include it in the server hello for
 now. This will have to be revisited once TLSv1.3 gets there. Fixes SRTP
 negotiation.

Problem found by two rust-openssl regress failures reported by mikeb.

with & ok beck

OpenBSD 6.5 errata 002
---
 src/lib/libssl/ssl_tlsext.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 0e37cc3cc0..00afe1e586 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.44 2019/03/25 17:21:18 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.44.2.1 2019/05/15 19:25:15 tb Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1822,7 +1822,8 @@ static struct tls_extension tls_extensions[] = {
 #ifndef OPENSSL_NO_SRTP
 	{
 		.type = TLSEXT_TYPE_use_srtp,
-		.messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
+		.messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ |
+		    SSL_TLSEXT_MSG_EE,
 		.client = {
 			.needs = tlsext_srtp_client_needs,
 			.build = tlsext_srtp_client_build,
-- 
cgit v1.2.3-55-g6feb