MDEV-12190 YASSL isn't able to negotiate TLS version correctly

Backport from 10.2

MDEV-12190 YASSL isn't able to negotiate TLS version correctly
Backport from 10.2
0943b33d · Vladislav Vaintroub · 926edd48 · 0943b33d
Commit 0943b33d authored Mar 14, 2018 by Vladislav Vaintroub
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 0 deletions

extra/yassl/src/handshake.cpp extra/yassl/src/handshake.cpp +10 -0

No files found.
--- a/extra/yassl/src/handshake.cpp
+++ b/extra/yassl/src/handshake.cpp
@@ -787,6 +787,16 @@ int DoProcessReply(SSL& ssl)
            needHdr = true;
        else {
            buffer >> hdr;
+            /*
+              According to RFC 4346 (see "7.4.1.3. Server Hello"), the Server Hello
+              packet needs to specify the highest supported TLS version, but not
+              higher than what client requests. YaSSL highest supported version is
+              TLSv1.1 (=3.2) - if the client requests a higher version, downgrade it
+              here to 3.2.
+              See also Appendix E of RFC 5246 (TLS 1.2)
+            */
+            if (hdr.version_.major_ == 3 && hdr.version_.minor_ > 2)
+              hdr.version_.minor_ = 2;
            ssl.verifyState(hdr);
        }