[openssl-commits] [openssl] master update

Paul I. Dale pauli at openssl.org
Wed Aug 22 03:23:40 UTC 2018


The branch master has been updated
       via  c6ea08836bb97555194afb6fd1a81fd9da29985a (commit)
      from  3b8e97ab61624f4fbe8bb6a587f4da75cc3d988e (commit)


- Log -----------------------------------------------------------------
commit c6ea08836bb97555194afb6fd1a81fd9da29985a
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date:   Tue Aug 14 15:03:16 2018 +0200

    Allow TLS-1.3 ciphersuites in @SECLEVEL=3 and above
    
    The TLS-1.3 ciphersuites must not be blocked by @SECLEVEL=3 even
    though they are not explicitly marked as using DH/ECDH.
    
    Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6959)

-----------------------------------------------------------------------

Summary of changes:
 ssl/ssl_cert.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index df5cff7..e740a8c 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -947,7 +947,8 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
             if (level >= 2 && c->algorithm_enc == SSL_RC4)
                 return 0;
             /* Level 3: forward secure ciphersuites only */
-            if (level >= 3 && !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
+            if (level >= 3 && (c->min_tls != TLS1_3_VERSION ||
+                               !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))))
                 return 0;
             break;
         }


More information about the openssl-commits mailing list