Do not allow non-dhe kex_modes by default

Allow that mode to be configured if desired. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3833)
author: Matt Caswell <matt@openssl.org> 2017-06-30 09:41:03 +0100
committer: Matt Caswell <matt@openssl.org> 2017-07-07 16:08:05 +0100
commit: e3c0d76bc7848aae01fe9a86720d435b999f3bc1 (patch)
tree: 7b4e014eee678d04c4bef40ccfa1da623a5c6009 /include
parent: 515982154031b679f58d5e2cbd7752294779221e (diff)
download: openssl-e3c0d76bc7848aae01fe9a86720d435b999f3bc1.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 75fb1fcc7f..cc5b398a16 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -282,6 +282,9 @@ typedef int (*SSL_custom_ext_parse_cb_ex) (SSL *s, unsigned int ext_type,
 /* Typedef for verification callback */
 typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
 
+/* In TLSv1.3 allow a non-(ec)dhe based kex_mode */
+# define SSL_OP_ALLOW_NO_DHE_KEX                         0x00000001U
+
 /* Allow initial connection to servers that don't support RI */
 # define SSL_OP_LEGACY_SERVER_CONNECT                    0x00000004U
 # define SSL_OP_TLSEXT_PADDING                           0x00000010U
author	Matt Caswell <matt@openssl.org>	2017-06-30 09:41:03 +0100
committer	Matt Caswell <matt@openssl.org>	2017-07-07 16:08:05 +0100
commit	e3c0d76bc7848aae01fe9a86720d435b999f3bc1 (patch)
tree	7b4e014eee678d04c4bef40ccfa1da623a5c6009 /include
parent	515982154031b679f58d5e2cbd7752294779221e (diff)
download	openssl-e3c0d76bc7848aae01fe9a86720d435b999f3bc1.tar.gz