From d519a628f4aa32fc64afc7e18a0d4b1130a8df6f Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 18 Jul 2017 09:23:53 +0200 Subject: handshake: always accept TLS 1.2 in client hello if we have later protocols enabled That is because after TLS 1.3 there is no negotiation of the version using the Client Hello field, but with an extension. Signed-off-by: Nikos Mavrogiannopoulos --- lib/handshake.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/lib/handshake.c b/lib/handshake.c index 3a9480c24c..8ed442b897 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -365,8 +365,19 @@ _gnutls_negotiate_legacy_version(gnutls_session_t session, { const version_entry_st *vers; - /* if we do not support that version */ + /* if we do not support that version, unless that version is TLS 1.2; + * TLS 1.2 is handled separately because it is always advertized under TLS 1.3 or later */ if (adv_version == GNUTLS_VERSION_UNKNOWN || _gnutls_version_is_supported(session, adv_version) == 0) { + + if (adv_version == GNUTLS_TLS1_2) { + vers = _gnutls_version_max(session); + if (vers->id >= GNUTLS_TLS1_2) { + if (_gnutls_set_current_version(session, adv_version) < 0) + return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET); + return adv_version; + } + } + /* if we get an unknown/unsupported version, then fail if the version we * got is too low to be supported */ if (!_gnutls_version_is_too_high(session, major, minor)) -- cgit v1.2.1