From 418044cbab5720dbefe6182c8db377102ac61f74 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Thu, 29 Mar 2012 19:08:54 +0000
Subject: Experimental workaround to large client hello issue (see PR#2771).

If OPENSSL_NO_TLS1_2_CLIENT is set then TLS v1.2 is disabled for clients
only.
---
 ssl/s23_clnt.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'ssl/s23_clnt.c')

diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index b3c48232d7..13412f26aa 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -287,12 +287,14 @@ static int ssl23_client_hello(SSL *s)
 
 	if (ssl2_compat && ssl23_no_ssl2_ciphers(s))
 		ssl2_compat = 0;
-
+#ifndef OPENSSL_NO_TLS1_2_CLIENT
 	if (!(s->options & SSL_OP_NO_TLSv1_2))
 		{
 		version = TLS1_2_VERSION;
 		}
-	else if (!(s->options & SSL_OP_NO_TLSv1_1))
+	else
+#endif
+	if (!(s->options & SSL_OP_NO_TLSv1_1))
 		{
 		version = TLS1_1_VERSION;
 		}
-- 
cgit v1.2.3