diff options
| -rw-r--r-- | lib/algorithms/ciphersuites.c | 2 | ||||
| -rw-r--r-- | tests/psk-file.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/lib/algorithms/ciphersuites.c b/lib/algorithms/ciphersuites.c index ac1fdf9f41..4e840bdd8b 100644 --- a/lib/algorithms/ciphersuites.c +++ b/lib/algorithms/ciphersuites.c @@ -1581,7 +1581,7 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session, * incompatible certificate which we traditionally return GNUTLS_E_INSUFFICIENT_SECURITY. */ if (!no_cert_found && (session->internals.hsk_flags & HSK_HAVE_FFDHE) && - session->internals.priorities->groups.have_ffdhe) + session->internals.priorities->groups.have_ffdhe && !version->tls13_sem) return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY); else return gnutls_assert_val(GNUTLS_E_NO_CIPHER_SUITES); diff --git a/tests/psk-file.c b/tests/psk-file.c index e1e058ffe9..5bd01e42ce 100644 --- a/tests/psk-file.c +++ b/tests/psk-file.c @@ -381,7 +381,7 @@ void doit(void) "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+PSK:+DHE-PSK:%SERVER_PRECEDENCE:-GROUP-DH-ALL", "jas", &key, 0, GNUTLS_KX_PSK, 0, 0); /* try with PRF that doesn't match binder (SHA256) */ - run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM:+PSK:+DHE-PSK", NULL, "jas", &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_INSUFFICIENT_SECURITY); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM:+PSK:+DHE-PSK", NULL, "jas", &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_NO_CIPHER_SUITES); /* try with no groups and PSK */ run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:-GROUP-ALL", "jas", &key, 0, 0); /* try without any groups but DHE-PSK */ |