use client version when eliminating TLS v1.2 ciphersuites in client hello

author: Dr. Stephen Henson <steve@openssl.org> 2011-10-07 15:07:19 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2011-10-07 15:07:19 +0000
commit: 6dd547398acfd022cd0f7354b9ab6a83bea3176a (patch)
tree: b6550897cc46b7a5b4cc8712dc2719e4cd5b0f2d /ssl
parent: 66bb328e1182bffe3b26c677802ec620a4eddfc9 (diff)
2 files changed, 4 insertions, 1 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 4c4665b088..c983474f58 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1381,7 +1381,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
 		c=sk_SSL_CIPHER_value(sk,i);
 		/* Skip TLS v1.2 only ciphersuites if lower than v1.2 */
 		if ((c->algorithm_ssl & SSL_TLSV1_2) && 
-			(TLS1_get_version(s) < TLS1_2_VERSION))
+			(TLS1_get_client_version(s) < TLS1_2_VERSION))
 			continue;
 #ifndef OPENSSL_NO_KRB5
 		if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) &&
diff --git a/ssl/tls1.h b/ssl/tls1.h
index 8fe7d7cef2..14b5d9bfdf 100644
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -174,6 +174,9 @@ extern "C" {
 #define TLS1_get_version(s) \
 		((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0)
 
+#define TLS1_get_client_version(s) \
+		((s->client_version >> 8) == TLS1_VERSION_MAJOR ? s->client_version : 0)
+
 #define TLS1_AD_DECRYPTION_FAILED	21
 #define TLS1_AD_RECORD_OVERFLOW		22
 #define TLS1_AD_UNKNOWN_CA		48	/* fatal */
author	Dr. Stephen Henson <steve@openssl.org>	2011-10-07 15:07:19 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2011-10-07 15:07:19 +0000
commit	6dd547398acfd022cd0f7354b9ab6a83bea3176a (patch)
tree	b6550897cc46b7a5b4cc8712dc2719e4cd5b0f2d /ssl
parent	66bb328e1182bffe3b26c677802ec620a4eddfc9 (diff)