diff options
author | Tomas Mraz <tmraz@fedoraproject.org> | 2018-08-14 15:03:16 +0200 |
---|---|---|
committer | Pauli <paul.dale@oracle.com> | 2018-08-22 13:23:10 +1000 |
commit | c6ea08836bb97555194afb6fd1a81fd9da29985a (patch) | |
tree | 9298e11c02bf967791e2e3b9da31a133a404d121 /ssl | |
parent | 3b8e97ab61624f4fbe8bb6a587f4da75cc3d988e (diff) | |
download | openssl-c6ea08836bb97555194afb6fd1a81fd9da29985a.tar.gz |
Allow TLS-1.3 ciphersuites in @SECLEVEL=3 and above
The TLS-1.3 ciphersuites must not be blocked by @SECLEVEL=3 even
though they are not explicitly marked as using DH/ECDH.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6959)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/ssl_cert.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index df5cff79c9..e740a8c25d 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -947,7 +947,8 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, if (level >= 2 && c->algorithm_enc == SSL_RC4) return 0; /* Level 3: forward secure ciphersuites only */ - if (level >= 3 && !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))) + if (level >= 3 && (c->min_tls != TLS1_3_VERSION || + !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))) return 0; break; } |