Commit abeb2a63 authored by Matt Caswell's avatar Matt Caswell
Browse files

Tweak the check that a ciphersuite has not changed since the HRR 



Reviewed-by: default avatarBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3623)
parent 3b0e88d3

ssl/statem/statem_srvr.c

+3 −2
Original line number Diff line number Diff line
@@ -1615,8 +1615,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) 
            al = SSL_AD_HANDSHAKE_FAILURE;

            goto err;

        }

        if (s->hello_retry_request && s->s3->tmp.new_cipher != NULL

                && s->s3->tmp.new_cipher->id != cipher->id) {

        if (s->hello_retry_request

                && (s->s3->tmp.new_cipher == NULL

                    || s->s3->tmp.new_cipher->id != cipher->id)) {

            /*

             * A previous HRR picked a different ciphersuite to the one we

             * just selected. Something must have changed.