Allow TLS-1.3 ciphersuites in @SECLEVEL=3 and above

The TLS-1.3 ciphersuites must not be blocked by @SECLEVEL=3 even though they are not explicitly marked as using DH/ECDH. Reviewed-by: Kurt Roeckx <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Rich Salz <[email protected]> (Merged from openssl#6959)
pfsmorigo · Aug 22, 2018 · c6ea088 · c6ea088
1 parent 3b8e97a
commit c6ea088
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
@@ -947,7 +947,8 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
             if (level >= 2 && c->algorithm_enc == SSL_RC4)
                 return 0;
             /* Level 3: forward secure ciphersuites only */
-            if (level >= 3 && !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
+            if (level >= 3 && (c->min_tls != TLS1_3_VERSION ||
+                               !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))))
                 return 0;
             break;
         }