diff options
author | Matt Caswell <matt@openssl.org> | 2017-06-30 09:41:03 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-07-07 16:08:05 +0100 |
commit | e3c0d76bc7848aae01fe9a86720d435b999f3bc1 (patch) | |
tree | 7b4e014eee678d04c4bef40ccfa1da623a5c6009 /apps/apps.h | |
parent | 515982154031b679f58d5e2cbd7752294779221e (diff) |
Do not allow non-dhe kex_modes by default
Allow that mode to be configured if desired.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3833)
Diffstat (limited to 'apps/apps.h')
-rw-r--r-- | apps/apps.h | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/apps/apps.h b/apps/apps.h index 4ec0693b30..09c601b62f 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -214,10 +214,11 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \ OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \ OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \ - OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \ - OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, OPT_S_CURVES, OPT_S_NAMEDCURVE, \ - OPT_S_CIPHER, OPT_S_DHPARAM, OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, \ - OPT_S_COMP, OPT_S_NO_RENEGOTIATION, OPT_S__LAST + OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_ALLOW_NO_DHE_KEX, \ + OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, \ + OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_DHPARAM, \ + OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \ + OPT_S_NO_RENEGOTIATION, OPT_S__LAST # define OPT_S_OPTIONS \ {"no_ssl3", OPT_S_NOSSL3, '-',"Just disable SSLv3" }, \ @@ -241,6 +242,8 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, "Disallow session resumption on renegotiation"}, \ {"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-', \ "Disallow initial connection to servers that don't support RI"}, \ + {"allow_no_dhe_kex", OPT_S_ALLOW_NO_DHE_KEX, '-', \ + "In TLSv1.3 allow non-(ec)dhe based key exchange on resumption"}, \ {"strict", OPT_S_STRICT, '-', \ "Enforce strict certificate checks as per TLS standard"}, \ {"sigalgs", OPT_S_SIGALGS, 's', \ @@ -279,6 +282,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, case OPT_S_LEGACYCONN: \ case OPT_S_ONRESUMP: \ case OPT_S_NOLEGACYCONN: \ + case OPT_S_ALLOW_NO_DHE_KEX: \ case OPT_S_STRICT: \ case OPT_S_SIGALGS: \ case OPT_S_CLIENTSIGALGS: \ |