From a3f1e8b18009ab6254759e25782b2db39d6166ce Mon Sep 17 00:00:00 2001
From: Joel Sing <jsing@cvs.openbsd.org>
Date: Sat, 25 Jan 2020 12:31:43 +0000
Subject: Only send an RI extension for pre-TLSv1.3 versions.

ok beck@
---
 lib/libssl/ssl_tlsext.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib/libssl')

diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c
index e66bd08f844..b76a48b99aa 100644
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.54 2020/01/22 10:38:11 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.55 2020/01/25 12:31:42 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -443,7 +443,7 @@ tlsext_ri_server_parse(SSL *s, CBS *cbs, int *alert)
 int
 tlsext_ri_server_needs(SSL *s)
 {
-	return (S3I(s)->send_connection_binding);
+	return (s->version < TLS1_3_VERSION && S3I(s)->send_connection_binding);
 }
 
 int
-- 
cgit v1.2.3