feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Only check downgrade when TLS 1.2 and no flag set

Browse Source 
The flag, SSL_OP_NO_TLSv1_2, indicates not to negotiate TLS v1.2.
This commit is contained in:
Sean Parkinson
2020-05-11 13:18:50 +10:00
parent 7c98451f24
commit ed4899dd91
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/internal.c
View File

@ -20238,7 +20238,11 @@ exit_dpk:
else
#endif
if (ssl->ctx->method->version.major == SSLv3_MAJOR &&
ssl->ctx->method->version.minor == TLSv1_2_MINOR) {
ssl->ctx->method->version.minor == TLSv1_2_MINOR
#ifdef OPENSSL_EXTRA
&& (wolfSSL_get_options(ssl) & SSL_OP_NO_TLSv1_2) == 0
#endif
) {
/* TLS v1.2 capable client not allowed to downgrade when
* connecting to TLS v1.2 capable server.
*/
@ -24230,6 +24234,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif
if (ssl->ctx->method->version.major == SSLv3_MAJOR &&
ssl->ctx->method->version.minor == TLSv1_2_MINOR &&
#ifdef OPENSSL_EXTRA
(wolfSSL_get_options(ssl) & SSL_OP_NO_TLSv1_2) == 0 &&
#endif
!IsAtLeastTLSv1_2(ssl)) {
/* TLS v1.2 capable server downgraded. */
XMEMCPY(output + idx + RAN_LEN - (TLS13_DOWNGRADE_SZ + 1),