From 311178d4551fb6da7b2cf79e0d58e93b4005ee0f Mon Sep 17 00:00:00 2001 From: Joel Sing Date: Wed, 13 May 2020 17:53:16 +0000 Subject: Switch back to the legacy stack where the maximum is less than TLSv1.3. This allows a server configured to only support TLSv1.2 and earlier, to correctly handle connections from a TLSv1.3 capable client. Issue reported by pvk@ ok inoguchi@ tb@ --- lib/libssl/tls13_server.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/libssl') diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c index ec612df90e7..cd5f19afebf 100644 --- a/lib/libssl/tls13_server.c +++ b/lib/libssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.45 2020/05/11 17:49:46 jsing Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.46 2020/05/13 17:53:15 jsing Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing * Copyright (c) 2020 Bob Beck @@ -115,7 +115,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) goto err; - if (tls13_client_hello_is_legacy(cbs)) { + if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) { if (!CBS_skip(cbs, CBS_len(cbs))) goto err; return tls13_use_legacy_server(ctx); -- cgit v1.2.3