From a1ab956a027ee252855f481509ec200c55931cfc Mon Sep 17 00:00:00 2001 From: tb Date: Tue, 28 Jun 2022 20:53:32 +0000 Subject: [PATCH] Security level >= 3 requires a ciphersuite with PFS ok beck jsing sthen --- lib/libssl/ssl_seclevel.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/libssl/ssl_seclevel.c b/lib/libssl/ssl_seclevel.c index c3d23b25476..39b1bf341e7 100644 --- a/lib/libssl/ssl_seclevel.c +++ b/lib/libssl/ssl_seclevel.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_seclevel.c,v 1.3 2022/06/28 20:49:16 tb Exp $ */ +/* $OpenBSD: ssl_seclevel.c,v 1.4 2022/06/28 20:53:32 tb Exp $ */ /* * Copyright (c) 2020 Theo Buehler * @@ -114,8 +114,9 @@ ssl_security_secop_cipher(const SSL_CTX *ctx, const SSL *ssl, int bits, if (security_level <= 2) return 1; - /* XXX TLSv1.3 */ - if ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0) + /* Security level >= 3 requires a cipher with forward secrecy. */ + if ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) == 0 && + cipher->algorithm_ssl != SSL_TLSV1_3) return 0; return 1; -- 2.20.1