Use enc_flags when deciding protocol variations. Use the enc_flags field to determine whether we should use explicit IV, signature algorithms or SHA256 default PRF instead of hard coding which versions support each requirement.
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 2fe30d7..b92d879 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c
@@ -4458,14 +4458,14 @@ } return(ret); } -/* If we are using TLS v1.2 or later and default SHA1+MD5 algorithms switch - * to new SHA256 PRF and handshake macs +/* If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF + * and handshake macs if required. */ long ssl_get_algorithm2(SSL *s) { long alg2 = s->s3->tmp.new_cipher->algorithm2; - if (TLS1_get_version(s) >= TLS1_2_VERSION && - alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) + if (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF + && alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; return alg2; }