Don't detect a downgrade where the server has a protocol version hole

Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7013)
author: Matt Caswell <matt@openssl.org> 2018-08-20 20:05:28 +0300
committer: Matt Caswell <matt@openssl.org> 2018-08-22 17:15:19 +0300
commit: 5627f9f21764af7eac2af2fb8ec867cd65ca8949 (patch)
tree: 4313d7650ce6a132ba00feab55b02cc7fa87b536 /ssl
parent: 3e7cb13dff37795f022a1bedc5951130099a0fc6 (diff)
1 files changed, 10 insertions, 3 deletions
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 795202aadc..3961c14719 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1665,9 +1665,16 @@ static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
     if (vers == TLS1_2_VERSION
             && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
         *dgrd = DOWNGRADE_TO_1_2;
-    } else if (!SSL_IS_DTLS(s) && vers < TLS1_2_VERSION
-            && (ssl_version_supported(s, TLS1_2_VERSION, NULL)
-                || ssl_version_supported(s, TLS1_3_VERSION, NULL))) {
+    } else if (!SSL_IS_DTLS(s)
+            && vers < TLS1_2_VERSION
+               /*
+                * We need to ensure that a server that disables TLSv1.2
+                * (creating a hole between TLSv1.3 and TLSv1.1) can still
+                * complete handshakes with clients that support TLSv1.2 and
+                * below. Therefore we do not enable the sentinel if TLSv1.3 is
+                * enabled and TLSv1.2 is not.
+                */
+            && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
         *dgrd = DOWNGRADE_TO_1_1;
     } else {
         *dgrd = DOWNGRADE_NONE;
author	Matt Caswell <matt@openssl.org>	2018-08-20 20:05:28 +0300
committer	Matt Caswell <matt@openssl.org>	2018-08-22 17:15:19 +0300
commit	5627f9f21764af7eac2af2fb8ec867cd65ca8949 (patch)
tree	4313d7650ce6a132ba00feab55b02cc7fa87b536 /ssl
parent	3e7cb13dff37795f022a1bedc5951130099a0fc6 (diff)