Commit acda536f5e for openssl.org
commit acda536f5e37a4af82d2de9cd7d8d8c4857a6d5c
Author: sftcd <stephen.farrell@cs.tcd.ie>
Date: Thu Dec 18 02:10:38 2025 +0000
ssl_choose_server_version(): With ECH check if connection is TLSv1.3
Fixes DEF-02-005
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Feb 11 17:19:11 2026
(Merged from https://github.com/openssl/openssl/pull/29593)
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index d83b647a65..cab51b9da1 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -2139,6 +2139,18 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello,
suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
+#ifndef OPENSSL_NO_ECH
+ /*
+ * Check we're dealing with a TLSv1.3 connection when ECH has
+ * succeeded, and not with a smuggled earlier version ClientHello
+ * (which could be a form of attack).
+ * This bit checks there is a supported version present, a little
+ * bit further below, we check that that version is TLSv1.3
+ */
+ if (!suppversions->present && s->ext.ech.success == 1)
+ return SSL_R_UNSUPPORTED_PROTOCOL;
+#endif
+
/* If we did an HRR then supported versions is mandatory */
if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
return SSL_R_UNSUPPORTED_PROTOCOL;
@@ -2180,6 +2192,11 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello,
}
if (best_vers > 0) {
+#ifndef OPENSSL_NO_ECH
+ /* ECH needs TLSV1.3 also */
+ if (s->ext.ech.success == 1 && best_vers != TLS1_3_VERSION)
+ return SSL_R_UNSUPPORTED_PROTOCOL;
+#endif
if (s->hello_retry_request != SSL_HRR_NONE) {
/*
* This is after a HelloRetryRequest so we better check that we