Commit c6ea0883 authored Aug 14, 2018 by Tomas Mraz Committed by Pauli Aug 22, 2018

Allow TLS-1.3 ciphersuites in @SECLEVEL=3 and above



The TLS-1.3 ciphersuites must not be blocked by @SECLEVEL=3 even
though they are not explicitly marked as using DH/ECDH.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6959)

parent 3b8e97ab

ssl/ssl_cert.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -947,7 +947,8 @@ static int ssl_security_default_callback(const SSL s, const SSL_CTX ctx,
		if (level >= 2 && c->algorithm_enc == SSL_RC4)
		return 0;
		/* Level 3: forward secure ciphersuites only */
		if (level >= 3 && !(c->algorithm_mkey & (SSL_kEDH \| SSL_kEECDH)))
		if (level >= 3 && (c->min_tls != TLS1_3_VERSION \|\|
		!(c->algorithm_mkey & (SSL_kEDH \| SSL_kEECDH))))
		return 0;
		break;
		}