diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 101f4e9761634c98097ed476b1618f4eb5ffcb90..f1cbc6f2ebbd19fc88b9fbe1bc3cd9834c4a4f9b 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -453,6 +453,12 @@ */ #define SSL_USE_TLS1_2_CIPHERS(s) \ (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) +/* Determine if a client can use TLS 1.2 ciphersuites: can't rely on method + * flags because it may not be set to correct version yet. + */ +#define SSL_CLIENT_USE_TLS1_2_CIPHERS(s) \ + ((SSL_IS_DTLS(s) && s->client_version <= DTLS1_2_VERSION) || \ + (!SSL_IS_DTLS(s) && s->client_version >= TLS1_2_VERSION)) /* Mostly for SSLv3 */ #define SSL_PKEY_RSA_ENC 0 diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 8cb018d65e7ff166e02800229268fc62be23af71..31daa50d3ee6f115fb8a768745aa9532e5a0504a 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1010,7 +1010,7 @@ void ssl_set_client_disabled(SSL *s) c->mask_a = 0; c->mask_k = 0; /* Don't allow TLS 1.2 only ciphers if we don't suppport them */ - if (!SSL_USE_TLS1_2_CIPHERS(s)) + if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s)) c->mask_ssl = SSL_TLSV1_2; else c->mask_ssl = 0;