diff -up openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms openssl-1.1.1g/include/openssl/ssl3.h

--- openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms	2020-04-21 14:22:39.000000000 +0200

+++ openssl-1.1.1g/include/openssl/ssl3.h	2020-06-05 15:20:22.090682776 +0200

@@ -292,6 +292,9 @@ extern "C" {

 # define TLS1_FLAGS_STATELESS                    0x0800

+/* Set if extended master secret extension required on renegotiation */

+# define TLS1_FLAGS_REQUIRED_EXTMS               0x1000

+

 # define SSL3_MT_HELLO_REQUEST                   0

 # define SSL3_MT_CLIENT_HELLO                    1

 # define SSL3_MT_SERVER_HELLO                    2

diff -up openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms openssl-1.1.1g/ssl/statem/extensions.c

--- openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms	2020-04-21 14:22:39.000000000 +0200

+++ openssl-1.1.1g/ssl/statem/extensions.c	2020-06-05 15:22:19.677653437 +0200

@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int

 static int init_ems(SSL *s, unsigned int context)

 {

-    if (!s->server)

+    if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {

         s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;

+        s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;

+    }

     return 1;

 }

 static int final_ems(SSL *s, unsigned int context, int sent)

 {

+    /*

+     * Check extended master secret extension is not dropped on

+     * renegotiation.

+     */

+    if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)

+        && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {

+        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,

+                 SSL_R_INCONSISTENT_EXTMS);

+        return 0;

+    }

     if (!s->server && s->hit) {

         /*

          * Check extended master secret extension is consistent with