From 58bbcfa31b18eae42e3f3dc8fea716360d4bb67f Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 11 Jan 2022 17:37:32 +0200 Subject: [PATCH] OpenSSL: Update security level drop for TLS 1.0/1.1 with OpenSSL 3.0 OpenSSL 3.0 dropped these older TLS versions from the security level 2 to 1, so need to drop the security level all the way to 0 if TLS v1.0 or v1.1 is explicitly enabled. Signed-off-by: Jouni Malinen --- src/crypto/tls_openssl.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index ad651bdc8..c9e00b3af 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -3023,13 +3023,23 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags, #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ !defined(LIBRESSL_VERSION_NUMBER) && \ !defined(OPENSSL_IS_BORINGSSL) - if ((flags & (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) && - SSL_get_security_level(ssl) >= 2) { - /* - * Need to drop to security level 1 to allow TLS versions older - * than 1.2 to be used when explicitly enabled in configuration. - */ - SSL_set_security_level(conn->ssl, 1); + { +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + int need_level = 0; +#else + int need_level = 1; +#endif + + if ((flags & + (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) && + SSL_get_security_level(ssl) > need_level) { + /* + * Need to drop to security level 1 (or 0 with OpenSSL + * 3.0) to allow TLS versions older than 1.2 to be used + * when explicitly enabled in configuration. + */ + SSL_set_security_level(conn->ssl, need_level); + } } #endif