diff options
| author | Matt Caswell <matt@openssl.org> | 2017-07-07 10:56:48 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2017-07-07 16:08:05 +0100 |
| commit | 4f11c7476b14225d5919924e433dbac0b4806081 (patch) | |
| tree | eb9e9ede868e339c6f1c7aebc019c15e974ae888 /include | |
| parent | 4e2bd9cb0f1a602a5c02906eb9d5bd1a592b684b (diff) | |
| download | openssl-4f11c7476b14225d5919924e433dbac0b4806081.tar.gz | |
Choose a safer value for SSL_OP_ALLOW_NO_DHE_KEX
1.1.0 included the previous value for SSL_OP_ALLOW_NO_DHE_KEX in
SSL_OP_ALL. This might cause binary compatibility issues. We should choose
a value that is not in SSL_OP_ALL.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3833)
Diffstat (limited to 'include')
| -rw-r--r-- | include/openssl/ssl.h | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index cc5b398a16..156b50a16a 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -282,14 +282,14 @@ typedef int (*SSL_custom_ext_parse_cb_ex) (SSL *s, unsigned int ext_type, /* Typedef for verification callback */ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); -/* In TLSv1.3 allow a non-(ec)dhe based kex_mode */ -# define SSL_OP_ALLOW_NO_DHE_KEX 0x00000001U - /* Allow initial connection to servers that don't support RI */ # define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004U # define SSL_OP_TLSEXT_PADDING 0x00000010U # define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040U +/* In TLSv1.3 allow a non-(ec)dhe based kex_mode */ +# define SSL_OP_ALLOW_NO_DHE_KEX 0x00000400U + /* * Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added in * OpenSSL 0.9.6d. Usually (depending on the application protocol) the |