From 65c76cd2c9e8da9468dd490b334e56c51dbef582 Mon Sep 17 00:00:00 2001
From: Daniil Zotkin <zotkin@rutoken.ru>
Date: Tue, 24 Sep 2019 11:08:23 +0300
Subject: Do not print extensions in Certificate message for TLS1.2 and lower

According to RFC8446 CertificateEntry in Certificate message contains
extensions that were not present in the Certificate message in RFC5246.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9994)
---
 ssl/t1_trce.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'ssl')

diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index a2cb4f7385..c55c172b88 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -1242,8 +1242,9 @@ static int ssl_print_certificates(BIO *bio, const SSL *ssl, int server,
     while (clen > 0) {
         if (!ssl_print_certificate(bio, indent + 2, &msg, &clen))
             return 0;
-        if (!ssl_print_extensions(bio, indent + 2, server, SSL3_MT_CERTIFICATE,
-                                  &msg, &clen))
+        if (SSL_IS_TLS13(ssl)
+            && !ssl_print_extensions(bio, indent + 2, server,
+                                     SSL3_MT_CERTIFICATE, &msg, &clen))
             return 0;
 
     }
-- 
cgit v1.2.3