OpenSSL: Update security level drop for TLS 1.0/1.1 with OpenSSL 3.0
OpenSSL 3.0 dropped these older TLS versions from the security level 2 to 1, so need to drop the security level all the way to 0 if TLS v1.0 or v1.1 is explicitly enabled. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
f5fcac731f
commit
58bbcfa31b
1 changed files with 17 additions and 7 deletions
|
|
@ -3023,13 +3023,23 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
|
||||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
|
||||||
!defined(LIBRESSL_VERSION_NUMBER) && \
|
!defined(LIBRESSL_VERSION_NUMBER) && \
|
||||||
!defined(OPENSSL_IS_BORINGSSL)
|
!defined(OPENSSL_IS_BORINGSSL)
|
||||||
if ((flags & (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
|
{
|
||||||
SSL_get_security_level(ssl) >= 2) {
|
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
int need_level = 0;
|
||||||
|
#else
|
||||||
|
int need_level = 1;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if ((flags &
|
||||||
|
(TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
|
||||||
|
SSL_get_security_level(ssl) > need_level) {
|
||||||
/*
|
/*
|
||||||
* Need to drop to security level 1 to allow TLS versions older
|
* Need to drop to security level 1 (or 0 with OpenSSL
|
||||||
* than 1.2 to be used when explicitly enabled in configuration.
|
* 3.0) to allow TLS versions older than 1.2 to be used
|
||||||
|
* when explicitly enabled in configuration.
|
||||||
*/
|
*/
|
||||||
SSL_set_security_level(conn->ssl, 1);
|
SSL_set_security_level(conn->ssl, need_level);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue