The SSL_OP_NO_QUERY_MTU option is supposed to stop the mtu from being

automatically updated, and we should use the one provided instead.
Unfortunately there are a couple of locations where this is not respected.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 001235778a6e9c645dc0507cad6092d99c9af8f5)

2 files changed, 11 insertions, 3 deletions

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index e83f9353a0..ca9eea86ee 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -350,10 +350,17 @@ int dtls1_do_write(SSL *s, int type)
 			 */
 			if ( BIO_ctrl(SSL_get_wbio(s),
 				BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0 )
-				s->d1->mtu = BIO_ctrl(SSL_get_wbio(s),
-					BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
+				{
+				if(!(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU))
+					s->d1->mtu = BIO_ctrl(SSL_get_wbio(s),
+						BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
+				else
+					return -1;
+				}
 			else
+				{
 				return(-1);
+				}
 			}
 		else
 			{
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 9f8b33b193..2f696c52d8 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -406,7 +406,8 @@ int dtls1_check_timeout_num(SSL *s)
 	s->d1->timeout.num_alerts++;
 
 	/* Reduce MTU after 2 unsuccessful retransmissions */
-	if (s->d1->timeout.num_alerts > 2)
+	if (s->d1->timeout.num_alerts > 2
+			&& !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU))
 		{
 		s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);		
 		}