X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=src%2Fssl%2Fssl_hs_client.t0;h=0747d42b93ea303748b7524c02fe53c848b70e8f;hp=911fdfcd30740590698e4946d51b324134540fdd;hb=932fb89081a66eef18fee56265fd29b93af0b081;hpb=c1e540575c63e09e6ab25c0c7826601d77b18d97

diff --git a/src/ssl/ssl_hs_client.t0 b/src/ssl/ssl_hs_client.t0
index 911fdfc..0747d42 100644
--- a/src/ssl/ssl_hs_client.t0
+++ b/src/ssl/ssl_hs_client.t0
@@ -686,16 +686,12 @@ cc: DEBUG-BLOB ( addr len -- ) {
 
 	\ Cipher suite. We check that it is part of the list of cipher
 	\ suites that we advertised.
-	\ read16 { suite ; found }
-	\ 0 >found
-	\ addr-suites_buf dup addr-suites_num get8 1 << +
-	\ begin dup2 < while
-	\ 	2 - dup get16
-	\ 	suite = found or >found
-	\ repeat
-	\ 2drop found ifnot ERR_BAD_CIPHER_SUITE fail then
 	read16
 	dup scan-suite 0< if ERR_BAD_CIPHER_SUITE fail then
+	\ Also check that the cipher suite is compatible with the
+	\ announced version: suites that don't use HMAC/SHA-1 are
+	\ for TLS-1.2 only, not older versions.
+	dup use-tls12? version 0x0303 < and if ERR_BAD_CIPHER_SUITE fail then
 	addr-cipher_suite resume check-resume
 
 	\ Compression method. Should be 0 (no compression).