mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-07 21:00:51 +02:00
130f683d8c
When resuming a session wolfSSL_SetSession unconditionally overwrote ssl->version with the version stored in the cached session, even if that version was below the WOLFSSL's configured minDowngrade. The overwritten version then fed straight into SendClientHello, so a client configured to require TLS 1.2 or higher could still emit a ClientHello advertising e.g. TLS 1.0 when resuming an old cached session. The ServerHello path catches the actual downgrade, but the ClientHello version is already a protocol-conformance issue and can confuse middleboxes. Reject the session if its stored minor version is below ssl->options.minDowngrade. The check is DTLS-aware: DTLS minor versions decrease as the protocol version increases, so the direction of the comparison is flipped for DTLS. F-2105
Before creating any new configure files (.conf) read the CONF_FILES_README.md