wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-04 13:14:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2964 from SparkiDev/tls13down_tls12

Browse Source 
Only check downgrade when TLS 1.2 and no flag set
This commit is contained in:
toddouska
2020-05-13 16:25:02 -07:00
committed by GitHub
parent 6c9a0e440e ed4899dd91
commit 6f750c07b5
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/internal.c
View File

@@ -20240,7 +20240,11 @@ exit_dpk:
else
#endif
if (ssl->ctx->method->version.major == SSLv3_MAJOR &&
ssl->ctx->method->version.minor == TLSv1_2_MINOR) {
ssl->ctx->method->version.minor == TLSv1_2_MINOR
#ifdef OPENSSL_EXTRA
&& (wolfSSL_get_options(ssl) & SSL_OP_NO_TLSv1_2) == 0
#endif
) {
/* TLS v1.2 capable client not allowed to downgrade when
* connecting to TLS v1.2 capable server.
*/
@@ -24232,6 +24236,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif
if (ssl->ctx->method->version.major == SSLv3_MAJOR &&
ssl->ctx->method->version.minor == TLSv1_2_MINOR &&
#ifdef OPENSSL_EXTRA
(wolfSSL_get_options(ssl) & SSL_OP_NO_TLSv1_2) == 0 &&
#endif
!IsAtLeastTLSv1_2(ssl)) {
/* TLS v1.2 capable server downgraded. */
XMEMCPY(output + idx + RAN_LEN - (TLS13_DOWNGRADE_SZ + 1),