Security level >= 3 requires a ciphersuite with PFS

ok beck jsing sthen
author: tb <> 2022-06-28 20:53:32 +0000
committer: tb <> 2022-06-28 20:53:32 +0000
commit: 78976315e28b9e4c2e12060ea0c297e2c41eca22 (patch)
tree: 94953aad588c19f343147636e5c97306a17a0d3e /src
parent: fc45ab833d276d3dec86a490250a423b73912a25 (diff)
download: openbsd-78976315e28b9e4c2e12060ea0c297e2c41eca22.tar.gz
openbsd-78976315e28b9e4c2e12060ea0c297e2c41eca22.tar.bz2
openbsd-78976315e28b9e4c2e12060ea0c297e2c41eca22.zip
1 files changed, 4 insertions, 3 deletions
diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c
index c3d23b2547..39b1bf341e 100644
--- a/src/lib/libssl/ssl_seclevel.c
+++ b/src/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_seclevel.c,v 1.3 2022/06/28 20:49:16 tb Exp $ */
+/*      $OpenBSD: ssl_seclevel.c,v 1.4 2022/06/28 20:53:32 tb Exp $ */
 /*
 * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
 *
@@ -114,8 +114,9 @@ ssl_security_secop_cipher(const SSL_CTX *ctx, const SSL *ssl, int bits,
        if (security_level <= 2)
                return 1;
-        /* XXX TLSv1.3 */
+        /* Security level >= 3 requires a cipher with forward secrecy. */
-        if ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0)
+        if ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) == 0 &&
+            cipher->algorithm_ssl != SSL_TLSV1_3)
                return 0;
        return 1;
author	tb <>	2022-06-28 20:53:32 +0000
committer	tb <>	2022-06-28 20:53:32 +0000
commit	78976315e28b9e4c2e12060ea0c297e2c41eca22 (patch)
tree	94953aad588c19f343147636e5c97306a17a0d3e /src
parent	fc45ab833d276d3dec86a490250a423b73912a25 (diff)
download	openbsd-78976315e28b9e4c2e12060ea0c297e2c41eca22.tar.gz openbsd-78976315e28b9e4c2e12060ea0c297e2c41eca22.tar.bz2 openbsd-78976315e28b9e4c2e12060ea0c297e2c41eca22.zip