From 1e2d4cb0e181ca6414b57c3e9a233bfa196d90a6 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Thu, 4 Apr 2013 18:19:18 +0100
Subject: [PATCH] Make TLS 1.2 ciphers work again.

Since s->method does not reflect the final client version when a client
hello is sent for SSLv23_client_method it can't be relied on to indicate
if TLS 1.2 ciphers should be used. So use the client version instead.
---
 ssl/ssl_locl.h | 6 ++++++
 ssl/t1_lib.c   | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 101f4e9761..f1cbc6f2eb 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -453,6 +453,12 @@
  */
 #define SSL_USE_TLS1_2_CIPHERS(s)	\
 		(s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)
+/* Determine if a client can use TLS 1.2 ciphersuites: can't rely on method
+ * flags because it may not be set to correct version yet.
+ */
+#define SSL_CLIENT_USE_TLS1_2_CIPHERS(s)	\
+		((SSL_IS_DTLS(s) && s->client_version <= DTLS1_2_VERSION) || \
+		(!SSL_IS_DTLS(s) && s->client_version >= TLS1_2_VERSION))
 
 /* Mostly for SSLv3 */
 #define SSL_PKEY_RSA_ENC	0
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 8cb018d65e..31daa50d3e 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1010,7 +1010,7 @@ void ssl_set_client_disabled(SSL *s)
 	c->mask_a = 0;
 	c->mask_k = 0;
 	/* Don't allow TLS 1.2 only ciphers if we don't suppport them */
-	if (!SSL_USE_TLS1_2_CIPHERS(s))
+	if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
 		c->mask_ssl = SSL_TLSV1_2;
 	else
 		c->mask_ssl = 0;
-- 
GitLab