Don't resume sessions if the negotiated version doesn't match.

All of NSS, upstream OpenSSL, SChannel, and Secure Transport require, on the
client, that the ServerHello version match the session's version on resumption.
OpenSSL's current behavior is incompatible with all of these. Fall back to a
full handshake on the server instead of mismatch.

Add a comment on the client for why we are, as of
30ddb434bfb845356fbacb6b2bd51f8814c7043c, not currently enforcing the same in
the client.

Change-Id: I60aec972d81368c4ec30e2fd515dabd69401d175
Reviewed-by: Adam Langley <>
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index aeb2604..bade13b 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -974,6 +974,17 @@
 		goto f_err;
+	/* Most clients also require that the negotiated version match the
+	 * session's version if resuming. However OpenSSL has historically not
+	 * had the corresponding logic on the server, so this may not be
+	 * compatible, depending on other factors. (Whether the ClientHello
+	 * version is clamped to the session's version and whether the session
+	 * cache is keyed on IP address.)
+	 *
+	 * TODO(davidben): See if we can still enforce this? Perhaps for the
+	 * future TLS 1.3 and forward if this is fixed upstream. */
 	/* Don't digest cached records if no sigalgs: we may need them for
 	 * client authentication.