Enforce the minimum TLS version requirement for QUIC.

author jsing <jsing@openbsd.org>

Sun, 11 Sep 2022 18:13:30 +0000 (18:13 +0000)

committer jsing <jsing@openbsd.org>

Sun, 11 Sep 2022 18:13:30 +0000 (18:13 +0000)
author jsing <jsing@openbsd.org>
Sun, 11 Sep 2022 18:13:30 +0000 (18:13 +0000)
committer jsing <jsing@openbsd.org>
Sun, 11 Sep 2022 18:13:30 +0000 (18:13 +0000)
diff --git a/lib/libssl/ssl_versions.c b/lib/libssl/ssl_versions.c

index 06e26b8..4a58f14 100644 (file)
--- a/lib/libssl/ssl_versions.c
+++ b/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.23 2022/06/30 11:17:50 tb Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.24 2022/09/11 18:13:30 jsing Exp $ */
  /*
   * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
   *
@@ -177,6 +177,14 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
             s->internal->min_tls_version, s->internal->max_tls_version))
                 return 0;
  
+       /* QUIC requires a minimum of TLSv1.3. */
+       if (SSL_is_quic(s)) {
+               if (max_version < TLS1_3_VERSION)
+                       return 0;
+               if (min_version < TLS1_3_VERSION)
+                       min_version = TLS1_3_VERSION;
+       }
+
         if (min_ver != NULL)
                 *min_ver = min_version;
         if (max_ver != NULL)
author	jsing <jsing@openbsd.org>
	Sun, 11 Sep 2022 18:13:30 +0000 (18:13 +0000)
committer	jsing <jsing@openbsd.org>
	Sun, 11 Sep 2022 18:13:30 +0000 (18:13 +0000)