diff -Nru openssl-1.0.1c/debian/changelog openssl-1.0.1c/debian/changelog
--- openssl-1.0.1c/debian/changelog	2012-06-29 10:21:02.000000000 -0700
+++ openssl-1.0.1c/debian/changelog	2012-10-04 10:41:12.000000000 -0700
@@ -1,3 +1,12 @@
+openssl (1.0.1c-3ubuntu2) quantal; urgency=low
+
+  * debian/patches/tls12_workarounds.patch: Readd the change to check
+    TLS1_get_client_version rather than TLS1_get_version to fix incorrect
+    client hello cipher list truncation when TLS 1.1 and lower is in use.
+    (LP: #1051892)
+
+ -- Tyler Hicks <tyhicks@canonical.com>  Thu, 04 Oct 2012 10:34:57 -0700
+
 openssl (1.0.1c-3ubuntu1) quantal; urgency=low
 
   * Resynchronise with Debian. Remaining changes:
diff -Nru openssl-1.0.1c/debian/patches/tls12_workarounds.patch openssl-1.0.1c/debian/patches/tls12_workarounds.patch
--- openssl-1.0.1c/debian/patches/tls12_workarounds.patch	2012-06-29 10:13:05.000000000 -0700
+++ openssl-1.0.1c/debian/patches/tls12_workarounds.patch	2012-10-04 11:40:34.000000000 -0700
@@ -5,16 +5,21 @@
        the number of ciphers sent in the client hello.
     2. Set OPENSSL_NO_TLS1_2_CLIENT to disable TLS 1.2 client support
        entirely.
+ 
+ Also, check TLS_get_client_version() rather than TLS1_get_versions() to avoid
+ improper truncation of client hello cipher lists. This change has been
+ forwarded upstream in rt #2881.
 Bug-Ubuntu: https://bugs.launchpad.net/bugs/965371
 Bug-Debian: http://bugs.debian.org/665452
 Bug: http://rt.openssl.org/Ticket/Display.html?id=2771
+Bug: http://rt.openssl.org/Ticket/Display.html?id=2881
 Forwarded: not-needed
-Last-Update: 2012-06-29
+Last-Update: 2012-10-04
 
-Index: b/Configure
+Index: openssl-1.0.1c/Configure
 ===================================================================
---- a/Configure
-+++ b/Configure
+--- openssl-1.0.1c.orig/Configure	2012-10-03 23:59:05.235548667 -0700
++++ openssl-1.0.1c/Configure	2012-10-04 10:34:23.076454592 -0700
 @@ -106,7 +106,7 @@
  my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
  
@@ -24,3 +29,16 @@
  $debian_cflags =~ s/\n/ /g;
  
  my $strict_warnings = 0;
+Index: openssl-1.0.1c/ssl/s23_clnt.c
+===================================================================
+--- openssl-1.0.1c.orig/ssl/s23_clnt.c	2012-10-03 23:46:22.967530550 -0700
++++ openssl-1.0.1c/ssl/s23_clnt.c	2012-10-04 10:33:13.820452946 -0700
+@@ -491,7 +491,7 @@
+ 			 * as hack workaround chop number of supported ciphers
+ 			 * to keep it well below this if we use TLS v1.2
+ 			 */
+-			if (TLS1_get_version(s) >= TLS1_2_VERSION
++			if (TLS1_get_client_version(s) >= TLS1_2_VERSION
+ 				&& i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
+ 				i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
+ #endif