OpenSSL: Apply connection flags before reading certificates
This is needed to be able to drop the OpenSSL security level, if necessary, for cases where old certificates (e.g., something using SHA-1 signatures) are still needed. openssl_ciphers="DEFAULT@SECLEVEL=0" can achieve this, but only if applied before attempting to load the certificates. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
bbd5a4689b
commit
e9b4ad2364
1 changed files with 4 additions and 4 deletions
|
|
@ -5377,6 +5377,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
|
|||
__func__, ERR_error_string(err, NULL));
|
||||
}
|
||||
|
||||
if (tls_set_conn_flags(conn, params->flags,
|
||||
params->openssl_ciphers) < 0)
|
||||
return -1;
|
||||
|
||||
if (engine_id) {
|
||||
wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine %s",
|
||||
engine_id);
|
||||
|
|
@ -5475,10 +5479,6 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
|
|||
#endif /* OPENSSL_IS_BORINGSSL */
|
||||
}
|
||||
|
||||
if (tls_set_conn_flags(conn, params->flags,
|
||||
params->openssl_ciphers) < 0)
|
||||
return -1;
|
||||
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
if (params->flags & TLS_CONN_REQUEST_OCSP) {
|
||||
SSL_enable_ocsp_stapling(conn->ssl);
|
||||
|
|
|
|||
Loading…
Reference in a new issue