diff options
author | Tomas Mraz <tmraz@fedoraproject.org> | 2020-09-11 09:09:29 +0200 |
---|---|---|
committer | Tomas Mraz <tmraz@fedoraproject.org> | 2020-09-17 17:15:15 +0200 |
commit | cccf532fef10aaa2d682227061b8828a1eb2c031 (patch) | |
tree | eebff041321fc8ca671a21369395370e806175d2 /ssl/statem | |
parent | fe2f8aecfe4a0de483334bf671a8eb4f14444c00 (diff) |
Disallow certs with explicit curve in verification chain
The check is applied only with X509_V_FLAG_X509_STRICT.
Fixes #12139
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12683)
Diffstat (limited to 'ssl/statem')
-rw-r--r-- | ssl/statem/statem_lib.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 6d0efb3239..618a58d659 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1408,6 +1408,7 @@ int tls_get_message_body(SSL *s, size_t *len) static const X509ERR2ALERT x509table[] = { {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE}, {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE}, {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE}, {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA}, {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED}, |