diff options
| author | Tomas Mraz <tomas@openssl.org> | 2021-07-20 13:08:31 +0200 |
|---|---|---|
| committer | Pauli <pauli@openssl.org> | 2021-07-27 13:19:20 +1000 |
| commit | 26411bc8879bf979e3703357e9595de057528e28 (patch) | |
| tree | 7c9ed8e37d9512d62a56bbb45224e9a12f7e6b11 /ssl | |
| parent | c9eb45987036314b150fdeed8a8a8a24bfa71687 (diff) | |
KTLS: AES-CCM in TLS-1.3 is broken on 5.x kernels, disable it
Fixes #16089
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16120)
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/ktls.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ssl/ktls.c b/ssl/ktls.c index 2d691fdeb2..02dbb937ea 100644 --- a/ssl/ktls.c +++ b/ssl/ktls.c @@ -133,7 +133,8 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, { # ifdef OPENSSL_KTLS_AES_CCM_128 case NID_aes_128_ccm: - if (EVP_CIPHER_CTX_get_tag_length(dd) != EVP_CCM_TLS_TAG_LEN) + if (s->version == TLS_1_3_VERSION /* broken on 5.x kernels */ + || EVP_CIPHER_CTX_get_tag_length(dd) != EVP_CCM_TLS_TAG_LEN) return 0; # endif # ifdef OPENSSL_KTLS_AES_GCM_128 |