diff options
author | Pauli <pauli@openssl.org> | 2022-05-04 13:01:35 +1000 |
---|---|---|
committer | Pauli <pauli@openssl.org> | 2022-05-08 16:58:00 +1000 |
commit | 7bf2e4d7f0c7ae19b7a8c416910886a7171e9820 (patch) | |
tree | 0a1e1a9b8a7603bf2d4f2fef7a805a80feb6e29e /ssl | |
parent | ac23650c1e53658227436aecc8de03a7ac3d1b9a (diff) | |
download | openssl-new-7bf2e4d7f0c7ae19b7a8c416910886a7171e9820.tar.gz |
tls: ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above
This is in line with the NEWS entry (erroneously) announcing such for 3.0.
Fixes #18194
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18236)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/ssl_cert.c | 14 |
1 files changed, 4 insertions, 10 deletions
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index e8c11eabc3..267e8695f9 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1047,18 +1047,12 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, } case SSL_SECOP_VERSION: if (!SSL_IS_DTLS(s)) { - /* SSLv3 not allowed at level 2 */ - if (nid <= SSL3_VERSION && level >= 2) - return 0; - /* TLS v1.1 and above only for level 3 */ - if (nid <= TLS1_VERSION && level >= 3) - return 0; - /* TLS v1.2 only for level 4 and above */ - if (nid <= TLS1_1_VERSION && level >= 4) + /* SSLv3, TLS v1.0 and TLS v1.1 only allowed at level 0 */ + if (nid <= TLS1_1_VERSION && level > 0) return 0; } else { - /* DTLS v1.2 only for level 4 and above */ - if (DTLS_VERSION_LT(nid, DTLS1_2_VERSION) && level >= 4) + /* DTLS v1.0 only allowed at level 0 */ + if (DTLS_VERSION_LT(nid, DTLS1_2_VERSION) && level > 0) return 0; } break; |