If the client sent something > TLS 1.2, we sould respond as TLS 1.1

instead of TLS 1.2.

The server now will respect policy.pref_version - if the client sends
a version later than that, we reply with our preferred version. Before
we would always reply with the version offered by the client.

1 files changed, 10 insertions, 16 deletions

diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp
index be4cba164..c2627ac23 100644
--- a/src/tls/tls_server.cpp
+++ b/src/tls/tls_server.cpp
@@ -16,20 +16,6 @@ namespace Botan {
 
 namespace {
 
-/*
-* Choose what version to respond with
-*/
-Version_Code choose_version(Version_Code client, Version_Code minimum)
-   {
-   if(client < minimum)
-      throw TLS_Exception(PROTOCOL_VERSION,
-                          "Client version is unacceptable by policy");
-
-   if(client == SSL_V3 || client == TLS_V10 || client == TLS_V11 || client == TLS_V12)
-      return client;
-   return TLS_V11;
-   }
-
 bool check_for_resume(TLS_Session& session_info,
                       TLS_Session_Manager& session_manager,
                       Client_Hello* client_hello)
@@ -168,8 +154,16 @@ void TLS_Server::process_handshake_msg(Handshake_Type type,
 
       m_hostname = state->client_hello->sni_hostname();
 
-      state->version = choose_version(state->client_hello->version(),
-                                      policy.min_version());
+      Version_Code client_version = state->client_hello->version();
+
+      if(client_version < policy.min_version())
+         throw TLS_Exception(PROTOCOL_VERSION,
+                             "Client version is unacceptable by policy");
+
+      if(client_version <= policy.pref_version())
+         state->version = client_version;
+      else
+         state->version = policy.pref_version();
 
       secure_renegotiation.update(state->client_hello);