From: jsing <jsing@openbsd.org>
Date: Sun, 27 Jun 2021 16:54:14 +0000 (+0000)
Subject: Correct handling of SSL_OP_NO_DTLSv1.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=007a3d8dba306157e83a1eaf11e536eefab710ec;p=openbsd

Correct handling of SSL_OP_NO_DTLSv1.

When converting to TLS flags, we need to also include SSL_OP_NO_TLSv1,
otherwise the TLS equivalent of SSL_OP_NO_DTLSv1 is TLSv1.0 only, which
does not work so well when we try to switch back to DTLS versions.
---

diff --git a/lib/libssl/ssl_versions.c b/lib/libssl/ssl_versions.c
index 0d8487d577a..68e69ebca31 100644
--- a/lib/libssl/ssl_versions.c
+++ b/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.18 2021/03/19 19:52:55 tb Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.19 2021/06/27 16:54:14 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -145,9 +145,9 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
 	if (SSL_is_dtls(s)) {
 		options = 0;
 		if (s->internal->options & SSL_OP_NO_DTLSv1)
-			options |= SSL_OP_NO_TLSv1_1;
+			options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
 		if (s->internal->options & SSL_OP_NO_DTLSv1_2)
-			options |= SSL_OP_NO_TLSv1_2;
+			options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2;
 	}
 
 	if ((options & SSL_OP_NO_TLSv1) == 0)