From afad1374a39d4c576485134b64a075b17b13fbb0 Mon Sep 17 00:00:00 2001
From: Chris Conlon <chris@wolfssl.com>
Date: Thu, 28 Oct 2021 16:30:02 -0600
Subject: [PATCH] check SSL_OP_NO_TLSv1_2 in TLS 1.3 enabled client

---
 src/tls13.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/tls13.c b/src/tls13.c
index 70d9f6cce..40a78cdbf 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -3419,6 +3419,15 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                             "TLS v1.3");
                 return VERSION_ERROR;
             }
+#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
+    defined(WOLFSSL_WPAS_SMALL)
+            /* Check if client has disabled TLS 1.2 */
+            if (args->pv.minor == TLSv1_2_MINOR &&
+                (ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) {
+                WOLFSSL_MSG("\tOption set to not allow TLSv1.2");
+                return VERSION_ERROR;
+            }
+#endif
 
             if (args->pv.minor < ssl->options.minDowngrade)
                 return VERSION_ERROR;