diff options
author | Matt Caswell <matt@openssl.org> | 2016-12-05 14:58:51 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-01-10 23:02:50 +0000 |
commit | 3f305a80e9a449a1c8671f387ac3e0575dfdd9bf (patch) | |
tree | 011b4952accb438870cf3730927505135af99c6e /ssl/ssl_lib.c | |
parent | 684b16953b1c81d77990849533aa723b6a955ecd (diff) |
Add a TODO(TLS1.3) around certificate selection
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Diffstat (limited to 'ssl/ssl_lib.c')
-rw-r--r-- | ssl/ssl_lib.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 58873456c8..21ea2843f7 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2823,6 +2823,12 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) static int ssl_get_server_cert_index(const SSL *s) { int idx; + + /* + * TODO(TLS1.3): In TLS1.3 the selected certificate is not based on the + * ciphersuite. For now though it still is. Our only TLS1.3 ciphersuite + * forces the use of an RSA cert. This will need to change. + */ idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher); if (idx == SSL_PKEY_RSA_ENC && !s->cert->pkeys[SSL_PKEY_RSA_ENC].x509) idx = SSL_PKEY_RSA_SIGN; |