diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-14 01:16:16 -0500 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-14 11:05:24 -0500 |
commit | a7cf07b4961347713b0fea321c301a0a618b4f2e (patch) | |
tree | 7b69e9e6c51ac289b818b122b1f3dbdeb1e4a48f /ssl/ssl_cert.c | |
parent | c60ebfdc0860458e2a24d86760a7d686cfe1f995 (diff) |
EDH >= 1024 bits even at security level 0
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'ssl/ssl_cert.c')
-rw-r--r-- | ssl/ssl_cert.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 7f01bcc641..75ccc72414 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1062,9 +1062,16 @@ static int ssl_security_default_callback(SSL *s, SSL_CTX *ctx, int op, level = SSL_CTX_get_security_level(ctx); else level = SSL_get_security_level(s); - /* Level 0: anything goes */ - if (level <= 0) + + if (level <= 0) { + /* + * No EDH keys weaker than 1024-bits even at level 0, otherwise, + * anything goes. + */ + if (op == SSL_SECOP_TMP_DH && bits < 80) + return 0; return 1; + } if (level > 5) level = 5; minbits = minbits_table[level - 1]; |