diff options
| author | jsing <> | 2026-04-03 12:58:19 +0000 |
|---|---|---|
| committer | jsing <> | 2026-04-03 12:58:19 +0000 |
| commit | 42d1ecbb4220b6260fa2da63402ec3f5cbad849a (patch) | |
| tree | 54561e6b94ac4ffe54812d2ae61334aacbe86c53 /src/lib/libssl/ssl_srvr.c | |
| parent | d8c990b8ab23e4f390c5f883d8da8177ef804444 (diff) | |
| download | openbsd-42d1ecbb4220b6260fa2da63402ec3f5cbad849a.tar.gz openbsd-42d1ecbb4220b6260fa2da63402ec3f5cbad849a.tar.bz2 openbsd-42d1ecbb4220b6260fa2da63402ec3f5cbad849a.zip | |
Ensure that we cannot negotiate TLSv1.1 or lower.
TLS versions prior to TLSv1.2 were disabled a while ago, however this
was done in the version handling code. Remove TLSv1.1 and earlier from
ssl_get_method() and add an explicit min version check in the legacy
client and server, to provide a stronger guarantee.
ok kenjiro@ tb@
Diffstat (limited to 'src/lib/libssl/ssl_srvr.c')
| -rw-r--r-- | src/lib/libssl/ssl_srvr.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index ef93e283de..af4b20f6ce 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_srvr.c,v 1.167 2025/12/04 21:03:42 beck Exp $ */ | 1 | /* $OpenBSD: ssl_srvr.c,v 1.168 2026/04/03 12:58:19 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -238,6 +238,13 @@ ssl3_accept(SSL *s) | |||
| 238 | goto end; | 238 | goto end; |
| 239 | } | 239 | } |
| 240 | 240 | ||
| 241 | /* Ensure that we cannot negotiate TLSv1.1 or lower. */ | ||
| 242 | if (s->s3->hs.our_min_tls_version < TLS1_2_VERSION) { | ||
| 243 | SSLerror(s, ERR_R_INTERNAL_ERROR); | ||
| 244 | ret = -1; | ||
| 245 | goto end; | ||
| 246 | } | ||
| 247 | |||
| 241 | if (!ssl_security_version(s, | 248 | if (!ssl_security_version(s, |
| 242 | s->s3->hs.our_min_tls_version)) { | 249 | s->s3->hs.our_min_tls_version)) { |
| 243 | SSLerror(s, SSL_R_VERSION_TOO_LOW); | 250 | SSLerror(s, SSL_R_VERSION_TOO_LOW); |