OpenSSL: Update security level drop for TLS 1.0/1.1 with OpenSSL 3.0

OpenSSL 3.0 dropped these older TLS versions from the security level 2 to 1, so need to drop the security level all the way to 0 if TLS v1.0 or v1.1 is explicitly enabled. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-11 17:37:32 +02:00 · 2022-01-11 17:37:32 +02:00 · 58bbcfa31b
commit 58bbcfa31b
parent f5fcac731f
1 changed files with 17 additions and 7 deletions
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@ -3023,13 +3023,23 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
 	!defined(LIBRESSL_VERSION_NUMBER) && \
 	!defined(OPENSSL_IS_BORINGSSL)
-	if ((flags & (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
-	    SSL_get_security_level(ssl) >= 2) {
-		/*
-		 * Need to drop to security level 1 to allow TLS versions older
-		 * than 1.2 to be used when explicitly enabled in configuration.
-		 */
-		SSL_set_security_level(conn->ssl, 1);
+	{
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		int need_level = 0;
+#else
+		int need_level = 1;
+#endif
+
+		if ((flags &
+		     (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
+		    SSL_get_security_level(ssl) > need_level) {
+			/*
+			 * Need to drop to security level 1 (or 0  with OpenSSL
+			 * 3.0) to allow TLS versions older than 1.2 to be used
+			 * when explicitly enabled in configuration.
+			 */
+			SSL_set_security_level(conn->ssl, need_level);
+		}
 	}
 #endif