check SSL_OP_NO_TLSv1_2 in TLS 1.3 enabled client

2025-07-29 18:27:29 +02:00 · 2021-10-28 16:30:02 -06:00
parent 6bb7e3900e
commit afad1374a3
1 changed files with 9 additions and 0 deletions
--- a/src/tls13.c
+++ b/src/tls13.c
@ -3419,6 +3419,15 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                            "TLS v1.3");
                return VERSION_ERROR;
            }
+#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
+    defined(WOLFSSL_WPAS_SMALL)
+            /* Check if client has disabled TLS 1.2 */
+            if (args->pv.minor == TLSv1_2_MINOR &&
+                (ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) {
+                WOLFSSL_MSG("\tOption set to not allow TLSv1.2");
+                return VERSION_ERROR;
+            }
+#endif

            if (args->pv.minor < ssl->options.minDowngrade)
                return VERSION_ERROR;