From ce32f3a539dedbc3b8265679316aeed610b9f45b Mon Sep 17 00:00:00 2001
From: Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk>
Date: Thu, 12 Oct 2023 13:55:32 +0200
Subject: Don't allow renegotiation for DTLS 1.3

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22362)
---
 apps/include/s_apps.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/apps/include/s_apps.h b/apps/include/s_apps.h
index 33c3b6278c..85eb6dcf36 100644
--- a/apps/include/s_apps.h
+++ b/apps/include/s_apps.h
@@ -16,7 +16,9 @@
 #define PROTOCOL        "tcp"
 
 #define SSL_VERSION_ALLOWS_RENEGOTIATION(s) \
-    (SSL_is_dtls(s) || (SSL_version(s) < TLS1_3_VERSION))
+    ((SSL_is_dtls(s) && (SSL_version(s) > DTLS1_3_VERSION \
+                         || SSL_version(s) == DTLS1_BAD_VER)) \
+     || (!SSL_is_dtls(s) && SSL_version(s) < TLS1_3_VERSION))
 
 typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context);
 void get_sock_info_address(int asock, char **hostname, char **service);
-- 
cgit v1.2.3