From 1ed5fdcb034b4930f1a7243313d40f80fd281287 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= <peterdmv@erlang.org>
Date: Tue, 27 Nov 2018 16:44:11 +0100
Subject: ssl: Fix cipher suite selection

Accept only TLS 1.3 ciphers when TLS 1.3 is selected.

Change-Id: I4e934d344f52208263ffdeb31c357dd5727472b9
---
 lib/ssl/src/tls_handshake_1_3.erl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib/ssl/src/tls_handshake_1_3.erl')

diff --git a/lib/ssl/src/tls_handshake_1_3.erl b/lib/ssl/src/tls_handshake_1_3.erl
index f381e038cf..4c18e76ad9 100644
--- a/lib/ssl/src/tls_handshake_1_3.erl
+++ b/lib/ssl/src/tls_handshake_1_3.erl
@@ -331,7 +331,8 @@ get_client_public_key(Group, ClientShares) ->
 select_cipher_suite([], _) ->
     {error, no_suitable_cipher};
 select_cipher_suite([Cipher|ClientCiphers], ServerCiphers) ->
-    case lists:member(Cipher, ServerCiphers) of
+    case lists:member(Cipher, tls_v1:suites('TLS_v1.3')) andalso
+        lists:member(Cipher, ServerCiphers) of
         true ->
             {ok, Cipher};
         false ->
-- 
cgit v1.2.3