Latest update (1.1.2 -> 3.0.0)

README.md

@@ -31,7 +31,7 @@ Default support is in bold type.
 - [Google(Gmail)](https://gmail.com/) : _TLSv1.3_ draft 23, 28, **final**
 - [NSS TLS 1.3(Mozilla)](https://tls13.crypto.mozilla.org/) : _TLSv1.3_ **final**
 
-[Compatible OpenSSL-1.1.1a (OpenSSL, 22932 commits)](https://github.com/openssl/openssl/tree/d1c28d791a7391a8dc101713cd8646df96491d03)
+[Compatible OpenSSL-3.0.0-dev (OpenSSL, 23063 commits)](https://github.com/openssl/openssl/tree/3a63dbef15b62b121c5df8762f8cb915fb06b27a)
 
 ## Patch files
 
@@ -47,9 +47,9 @@ Here is the basic patch content.
 | Patch file name | Patch list |
 | :--- | :--- |
 | openssl-1.1.1a-tls13_draft.patch | Only for TLS 1.3 draft 23, 26, 28, final support patch. |
-| openssl-equal-1.1.1a.patch<br>openssl-equal-1.1.2-dev.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
-| openssl-equal-1.1.1a_ciphers.patch<br>openssl-equal-1.1.2-dev_ciphers.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
-| openssl-1.1.1a-chacha_draft.patch | A draft version of chacha20-poly1305 is available. [View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427554824) |
+| openssl-equal-1.1.1a.patch<br>openssl-equal-3.0.0-dev.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
+| openssl-equal-1.1.1a_ciphers.patch<br>openssl-equal-3.0.0-dev_ciphers.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
+| openssl-1.1.1a-chacha_draft.patch<br>openssl-3.0.0-dev-chacha_draft.patch | A draft version of chacha20-poly1305 is available. [View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427554824) |
 | openssl-1.1.1a-tls13_draft.patch | Enable TLS 1.3 draft 23, 26, 28, final. |
 | openssl-1.1.1a-tls13_nginx_config.patch | You can set TLS 1.3 ciphere in nginx. ex) TLS13+AESGCM+AES128 |
 
@@ -82,7 +82,7 @@ Example of setting TLS 1.3 cipher in nginx:
 git clone https://github.com/openssl/openssl.git
 git clone https://github.com/hakasenyang/openssl-patch.git
 cd openssl
-patch -p1 < ../openssl-patch/openssl-equal-1.1.2-dev_ciphers.patch
+patch -p1 < ../openssl-patch/openssl-equal-3.0.0-dev_ciphers.patch
 ```
 
 And then use --with-openssl in nginx or build after ./config.
@@ -139,6 +139,8 @@ Thanks [@JemmyLoveJenny](https://github.com/hakasenyang/openssl-patch/issues/1#i
 
 ### nginx OpenSSL-1.1.x Renegotiation Bugfix
 
+It has already been patched by nginx >= 1.15.4.
+
 Run it from the nginx directory.
 
 ``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_openssl-1.1.x_renegotiation_bugfix.patch | patch -p1``
@@ -157,12 +159,12 @@ ssl_ecdh_curve X25519:P-256:P-384;
 ssl_prefer_server_ciphers on;
 ```
 
-### OpenSSL-1.1.x (>= 1.1.1a) ciphers (draft 23, 26, 28, final)
+### OpenSSL-1.1.1a, 3.0.0-dev ciphers (draft 23, 26, 28, final)
 ```
 [EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
 ```
 
-### OpenSSL-1.1.x_ciphers (>= 1.1.1a) ciphers (draft 23, 26, 28, final)
+### OpenSSL-1.1.1a_ciphers, 3.0.0-dev_ciphers ciphers (draft 23, 26, 28, final)
 ```
 [TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
 ```

openssl-3.0.0-dev-chacha_draft.patch

@@ -291,7 +291,7 @@ index 590bbe9a13..39a76eb2e1 100644
  
  ISO-US 10046 2 1	: dhpublicnumber		: X9.42 DH
 diff --git a/include/openssl/evp.h b/include/openssl/evp.h
-index d22956d343..77006675f3 100644
+index 36249b4201..4896155729 100644
 --- a/include/openssl/evp.h
 +++ b/include/openssl/evp.h
 @@ -918,6 +918,7 @@ const EVP_CIPHER *EVP_camellia_256_ctr(void);
@@ -318,7 +318,7 @@ index e977a24c66..280efb665e 100644
  #define LN_dhpublicnumber               "X9.42 DH"
  #define NID_dhpublicnumber              920
 diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
-index 1e9e8d5721..babce9025d 100644
+index fe2e479028..da1ff8f855 100644
 --- a/include/openssl/ssl.h
 +++ b/include/openssl/ssl.h
 @@ -125,6 +125,7 @@ extern "C" {
@@ -330,7 +330,7 @@ index 1e9e8d5721..babce9025d 100644
  # define SSL_TXT_ARIA            "ARIA"
  # define SSL_TXT_ARIA_GCM        "ARIAGCM"
 diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
-index e13b5dd4bc..53d43c121e 100644
+index 434dff1500..e1603867d0 100644
 --- a/include/openssl/tls1.h
 +++ b/include/openssl/tls1.h
 @@ -597,7 +597,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
@@ -372,7 +372,7 @@ index e13b5dd4bc..53d43c121e 100644
  # define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305       "ECDHE-ECDSA-CHACHA20-POLY1305"
  # define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305           "DHE-RSA-CHACHA20-POLY1305"
 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
-index 4b9906f215..4821bbf269 100644
+index a5b3dbbfd5..a5a7993065 100644
 --- a/ssl/s3_lib.c
 +++ b/ssl/s3_lib.c
 @@ -2082,6 +2082,54 @@ static SSL_CIPHER ssl3_ciphers[] = {
@@ -431,7 +431,7 @@ index 4b9906f215..4821bbf269 100644
       1,
       TLS1_TXT_PSK_WITH_CHACHA20_POLY1305,
 diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
-index 14066d0ea4..0ded2bd6b6 100644
+index bd97c0fdab..020ba7ac63 100644
 --- a/ssl/ssl_ciph.c
 +++ b/ssl/ssl_ciph.c
 @@ -43,7 +43,8 @@
@@ -480,7 +480,7 @@ index 14066d0ea4..0ded2bd6b6 100644
      } else if (c->algorithm_mac & SSL_AEAD) {
          /* We're supposed to have handled all the AEAD modes above */
 diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
-index 70e5a1740f..d75ba89a40 100644
+index 98e8e8a46d..d64dd57d78 100644
 --- a/ssl/ssl_locl.h
 +++ b/ssl/ssl_locl.h
 @@ -230,12 +230,13 @@
@@ -499,11 +499,11 @@ index 70e5a1740f..d75ba89a40 100644
  # define SSL_ARIA                (SSL_ARIAGCM)
  
 diff --git a/util/libcrypto.num b/util/libcrypto.num
-index f7d6cb5823..de1a6e7804 100644
+index 964f581667..66d7b47dc3 100644
 --- a/util/libcrypto.num
 +++ b/util/libcrypto.num
-@@ -4603,3 +4603,4 @@ SRP_user_pwd_new                        4556	1_1_2	EXIST::FUNCTION:SRP
- SRP_user_pwd_set_gN                     4557	1_1_2	EXIST::FUNCTION:SRP
- SRP_user_pwd_set1_ids                   4558	1_1_2	EXIST::FUNCTION:SRP
- SRP_user_pwd_set0_sv                    4559	1_1_2	EXIST::FUNCTION:SRP
-+EVP_chacha20_poly1305_draft             4560	1_1_0	EXIST::FUNCTION:CHACHA,POLY1305_DRAFT
+@@ -4608,3 +4608,4 @@ OPENSSL_version_minor                   4561	3_0_0	EXIST::FUNCTION:
+ OPENSSL_version_patch                   4562	3_0_0	EXIST::FUNCTION:
+ OPENSSL_version_pre_release             4563	3_0_0	EXIST::FUNCTION:
+ OPENSSL_version_build_metadata          4564	3_0_0	EXIST::FUNCTION:
++EVP_chacha20_poly1305_draft             4565	1_1_0	EXIST::FUNCTION:CHACHA,POLY1305_DRAFT

openssl-equal-3.0.0-dev.patch

@@ -25,7 +25,7 @@ index 3aea982384..3c93eba0bf 100644
  
  The following lists give the SSL or TLS cipher suites names from the
 diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
-index 1e9e8d5721..f49e049d90 100644
+index fe2e479028..4d4ed0a0b8 100644
 --- a/include/openssl/ssl.h
 +++ b/include/openssl/ssl.h
 @@ -173,12 +173,12 @@ extern "C" {
@@ -71,7 +71,7 @@ index 87b295c9f9..d118d8e864 100644
  # define SSL_R_UNINITIALIZED                              276
  # define SSL_R_UNKNOWN_ALERT_TYPE                         246
 diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
-index e13b5dd4bc..779341c948 100644
+index 434dff1500..f90230ff45 100644
 --- a/include/openssl/tls1.h
 +++ b/include/openssl/tls1.h
 @@ -30,6 +30,16 @@ extern "C" {
@@ -92,7 +92,7 @@ index e13b5dd4bc..779341c948 100644
  # define TLS_ANY_VERSION                 0x10000
  
 diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c
-index a11ed483e6..4fd583dd03 100644
+index 30e5dddf82..4f1c2f2bd1 100644
 --- a/ssl/record/ssl3_record_tls13.c
 +++ b/ssl/record/ssl3_record_tls13.c
 @@ -173,8 +173,9 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
@@ -108,7 +108,7 @@ index a11ed483e6..4fd583dd03 100644
                                  (unsigned int)rec->length) <= 0
              || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
-index 4b9906f215..d6739d97f7 100644
+index a5b3dbbfd5..505c32d18e 100644
 --- a/ssl/s3_lib.c
 +++ b/ssl/s3_lib.c
 @@ -167,7 +167,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
@@ -352,7 +352,7 @@ index 4b9906f215..d6739d97f7 100644
  }
  
 diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
-index 14066d0ea4..165f1c83b1 100644
+index bd97c0fdab..add5843bfb 100644
 --- a/ssl/ssl_ciph.c
 +++ b/ssl/ssl_ciph.c
 @@ -190,6 +190,7 @@ typedef struct cipher_order_st {
@@ -795,7 +795,7 @@ index 14066d0ea4..165f1c83b1 100644
  
  char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
-index 11331ce41f..cfc770b8d6 100644
+index 7b06878cef..4e03448e95 100644
 --- a/ssl/ssl_err.c
 +++ b/ssl/ssl_err.c
 @@ -965,6 +965,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
@@ -824,7 +824,7 @@ index 11331ce41f..cfc770b8d6 100644
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index 087f768b0b..1cc5e6c3a9 100644
+index a709792c21..7cb488d16e 100644
 --- a/ssl/ssl_lib.c
 +++ b/ssl/ssl_lib.c
 @@ -1115,6 +1115,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
@@ -971,7 +971,7 @@ index 087f768b0b..1cc5e6c3a9 100644
      /* Dup the client_CA list */
      if (!dup_ca_names(&ret->ca_names, s->ca_names)
 diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
-index 70e5a1740f..d583840984 100644
+index 98e8e8a46d..674f820253 100644
 --- a/ssl/ssl_locl.h
 +++ b/ssl/ssl_locl.h
 @@ -741,9 +741,46 @@ typedef struct ssl_ctx_ext_secure_st {
@@ -1073,7 +1073,7 @@ index 70e5a1740f..d583840984 100644
  __owur int ssl3_new(SSL *s);
  void ssl3_free(SSL *s);
 diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
-index ab4dbf6713..745897b638 100644
+index 6e133e026e..f26bc8e879 100644
 --- a/ssl/statem/extensions_clnt.c
 +++ b/ssl/statem/extensions_clnt.c
 @@ -533,8 +533,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
@@ -1120,7 +1120,7 @@ index ab4dbf6713..745897b638 100644
       * The only protocol version we support which is valid in this extension in
       * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
 diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
-index 0f2b22392b..6c1ce9813f 100644
+index 6545f5727d..15786a7bfc 100644
 --- a/ssl/statem/extensions_srvr.c
 +++ b/ssl/statem/extensions_srvr.c
 @@ -897,7 +897,8 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
@@ -1144,10 +1144,10 @@ index 0f2b22392b..6c1ce9813f 100644
          SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                   SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
 diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
-index 4324896f50..d0de7ffe3d 100644
+index 9e68e05ccf..d05fa9f532 100644
 --- a/ssl/statem/statem_lib.c
 +++ b/ssl/statem/statem_lib.c
-@@ -1786,6 +1786,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
+@@ -1788,6 +1788,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
          unsigned int best_vers = 0;
          const SSL_METHOD *best_method = NULL;
          PACKET versionslist;
@@ -1156,7 +1156,7 @@ index 4324896f50..d0de7ffe3d 100644
  
          suppversions->parsed = 1;
  
-@@ -1807,6 +1809,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
+@@ -1809,6 +1811,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
              return SSL_R_BAD_LEGACY_VERSION;
  
          while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
@@ -1180,7 +1180,7 @@ index 4324896f50..d0de7ffe3d 100644
              if (version_cmp(s, candidate_vers, best_vers) <= 0)
                  continue;
              if (ssl_version_supported(s, candidate_vers, &best_method))
-@@ -1829,6 +1848,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
+@@ -1831,6 +1850,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
              }
              check_for_downgrade(s, best_vers, dgrd);
              s->version = best_vers;
@@ -1191,7 +1191,7 @@ index 4324896f50..d0de7ffe3d 100644
              return 0;
          }
 diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
-index e7c11c4bea..a2a6c1e44e 100644
+index b0dd54903d..1d096858f8 100644
 --- a/ssl/statem/statem_srvr.c
 +++ b/ssl/statem/statem_srvr.c
 @@ -1744,7 +1744,7 @@ static int tls_early_post_process_client_hello(SSL *s)
@@ -1234,7 +1234,7 @@ index e7c11c4bea..a2a6c1e44e 100644
                  if (cipher == NULL) {
                      SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
 diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
-index be3039af38..99c4ddcb41 100644
+index 656fefe896..654271f368 100644
 --- a/ssl/t1_trce.c
 +++ b/ssl/t1_trce.c
 @@ -65,6 +65,11 @@ static const ssl_trace_tbl ssl_version_tbl[] = {

openssl-equal-3.0.0-dev_ciphers.patch

@@ -50,7 +50,7 @@ index 87b295c9f9..d118d8e864 100644
  # define SSL_R_UNINITIALIZED                              276
  # define SSL_R_UNKNOWN_ALERT_TYPE                         246
 diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
-index e13b5dd4bc..779341c948 100644
+index 434dff1500..f90230ff45 100644
 --- a/include/openssl/tls1.h
 +++ b/include/openssl/tls1.h
 @@ -30,6 +30,16 @@ extern "C" {
@@ -71,7 +71,7 @@ index e13b5dd4bc..779341c948 100644
  # define TLS_ANY_VERSION                 0x10000
  
 diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c
-index a11ed483e6..4fd583dd03 100644
+index 30e5dddf82..4f1c2f2bd1 100644
 --- a/ssl/record/ssl3_record_tls13.c
 +++ b/ssl/record/ssl3_record_tls13.c
 @@ -173,8 +173,9 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
@@ -87,7 +87,7 @@ index a11ed483e6..4fd583dd03 100644
                                  (unsigned int)rec->length) <= 0
              || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
-index 4b9906f215..de15b9e04e 100644
+index a5b3dbbfd5..6dd4ad4b68 100644
 --- a/ssl/s3_lib.c
 +++ b/ssl/s3_lib.c
 @@ -31,7 +31,25 @@ const unsigned char tls12downgrade[] = {
@@ -380,7 +380,7 @@ index 4b9906f215..de15b9e04e 100644
  }
  
 diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
-index 14066d0ea4..dc190fa334 100644
+index bd97c0fdab..eccce1509a 100644
 --- a/ssl/ssl_ciph.c
 +++ b/ssl/ssl_ciph.c
 @@ -190,6 +190,7 @@ typedef struct cipher_order_st {
@@ -830,7 +830,7 @@ index 14066d0ea4..dc190fa334 100644
  
  char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
-index 11331ce41f..cfc770b8d6 100644
+index 7b06878cef..4e03448e95 100644
 --- a/ssl/ssl_err.c
 +++ b/ssl/ssl_err.c
 @@ -965,6 +965,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
@@ -859,7 +859,7 @@ index 11331ce41f..cfc770b8d6 100644
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index 087f768b0b..1cc5e6c3a9 100644
+index a709792c21..7cb488d16e 100644
 --- a/ssl/ssl_lib.c
 +++ b/ssl/ssl_lib.c
 @@ -1115,6 +1115,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
@@ -1006,7 +1006,7 @@ index 087f768b0b..1cc5e6c3a9 100644
      /* Dup the client_CA list */
      if (!dup_ca_names(&ret->ca_names, s->ca_names)
 diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
-index 70e5a1740f..d583840984 100644
+index 98e8e8a46d..674f820253 100644
 --- a/ssl/ssl_locl.h
 +++ b/ssl/ssl_locl.h
 @@ -741,9 +741,46 @@ typedef struct ssl_ctx_ext_secure_st {
@@ -1108,7 +1108,7 @@ index 70e5a1740f..d583840984 100644
  __owur int ssl3_new(SSL *s);
  void ssl3_free(SSL *s);
 diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
-index ab4dbf6713..745897b638 100644
+index 6e133e026e..f26bc8e879 100644
 --- a/ssl/statem/extensions_clnt.c
 +++ b/ssl/statem/extensions_clnt.c
 @@ -533,8 +533,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
@@ -1155,7 +1155,7 @@ index ab4dbf6713..745897b638 100644
       * The only protocol version we support which is valid in this extension in
       * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
 diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
-index 0f2b22392b..6c1ce9813f 100644
+index 6545f5727d..15786a7bfc 100644
 --- a/ssl/statem/extensions_srvr.c
 +++ b/ssl/statem/extensions_srvr.c
 @@ -897,7 +897,8 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
@@ -1179,10 +1179,10 @@ index 0f2b22392b..6c1ce9813f 100644
          SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                   SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
 diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
-index 4324896f50..d0de7ffe3d 100644
+index 9e68e05ccf..d05fa9f532 100644
 --- a/ssl/statem/statem_lib.c
 +++ b/ssl/statem/statem_lib.c
-@@ -1786,6 +1786,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
+@@ -1788,6 +1788,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
          unsigned int best_vers = 0;
          const SSL_METHOD *best_method = NULL;
          PACKET versionslist;
@@ -1191,7 +1191,7 @@ index 4324896f50..d0de7ffe3d 100644
  
          suppversions->parsed = 1;
  
-@@ -1807,6 +1809,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
+@@ -1809,6 +1811,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
              return SSL_R_BAD_LEGACY_VERSION;
  
          while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
@@ -1215,7 +1215,7 @@ index 4324896f50..d0de7ffe3d 100644
              if (version_cmp(s, candidate_vers, best_vers) <= 0)
                  continue;
              if (ssl_version_supported(s, candidate_vers, &best_method))
-@@ -1829,6 +1848,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
+@@ -1831,6 +1850,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
              }
              check_for_downgrade(s, best_vers, dgrd);
              s->version = best_vers;
@@ -1226,7 +1226,7 @@ index 4324896f50..d0de7ffe3d 100644
              return 0;
          }
 diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
-index e7c11c4bea..a2a6c1e44e 100644
+index b0dd54903d..1d096858f8 100644
 --- a/ssl/statem/statem_srvr.c
 +++ b/ssl/statem/statem_srvr.c
 @@ -1744,7 +1744,7 @@ static int tls_early_post_process_client_hello(SSL *s)
@@ -1269,7 +1269,7 @@ index e7c11c4bea..a2a6c1e44e 100644
                  if (cipher == NULL) {
                      SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
 diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
-index be3039af38..99c4ddcb41 100644
+index 656fefe896..654271f368 100644
 --- a/ssl/t1_trce.c
 +++ b/ssl/t1_trce.c
 @@ -65,6 +65,11 @@ static const ssl_trace_tbl ssl_version_tbl[] = {