From 78976315e28b9e4c2e12060ea0c297e2c41eca22 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Tue, 28 Jun 2022 20:53:32 +0000
Subject: Security level >= 3 requires a ciphersuite with PFS

ok beck jsing sthen
---
 src/lib/libssl/ssl_seclevel.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c
index c3d23b2547..39b1bf341e 100644
--- a/src/lib/libssl/ssl_seclevel.c
+++ b/src/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl_seclevel.c,v 1.3 2022/06/28 20:49:16 tb Exp $ */
+/*	$OpenBSD: ssl_seclevel.c,v 1.4 2022/06/28 20:53:32 tb Exp $ */
 /*
  * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
  *
@@ -114,8 +114,9 @@ ssl_security_secop_cipher(const SSL_CTX *ctx, const SSL *ssl, int bits,
 	if (security_level <= 2)
 		return 1;
 
-	/* XXX TLSv1.3 */
-	if ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0)
+	/* Security level >= 3 requires a cipher with forward secrecy. */
+	if ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) == 0 &&
+	    cipher->algorithm_ssl != SSL_TLSV1_3)
 		return 0;
 
 	return 1;
-- 
cgit v1.2.3-55-g6feb