Commit 1e2d4cb0 authored Apr 04, 2013 by Dr. Stephen Henson

Make TLS 1.2 ciphers work again.

Since s->method does not reflect the final client version when a client
hello is sent for SSLv23_client_method it can't be relied on to indicate
if TLS 1.2 ciphers should be used. So use the client version instead.

parent 99cda437

ssl/ssl_locl.h

+6 −0

Original line number	Diff line number	Diff line
		@@ -453,6 +453,12 @@
		*/
		#define SSL_USE_TLS1_2_CIPHERS(s) \
		(s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)
		/* Determine if a client can use TLS 1.2 ciphersuites: can't rely on method
		* flags because it may not be set to correct version yet.
		*/
		#define SSL_CLIENT_USE_TLS1_2_CIPHERS(s) \
		((SSL_IS_DTLS(s) && s->client_version <= DTLS1_2_VERSION) \|\| \
		(!SSL_IS_DTLS(s) && s->client_version >= TLS1_2_VERSION))

		/* Mostly for SSLv3 */
		#define SSL_PKEY_RSA_ENC 0

ssl/t1_lib.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1010,7 +1010,7 @@ void ssl_set_client_disabled(SSL *s)
		c->mask_a = 0;
		c->mask_k = 0;
		/* Don't allow TLS 1.2 only ciphers if we don't suppport them */
		if (!SSL_USE_TLS1_2_CIPHERS(s))
		if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
		c->mask_ssl = SSL_TLSV1_2;
		else
		c->mask_ssl = 0;