Only allow ephemeral RSA keys in export ciphersuites.

[openssl.git] / ssl / d1_srvr.c

diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index e40701ee622b4a2ddaec7a25bc0f558455dfc992..da4c21e06a1c724b9145b9340480c6890c1d0be6 100644 (file)
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -454,24 +454,15 @@ int dtls1_accept(SSL *s)
                case SSL3_ST_SW_KEY_EXCH_B:
                        alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
 
-                       /* clear this, it may get reset by
-                        * send_server_key_exchange */
-                       if ((s->options & SSL_OP_EPHEMERAL_RSA)
-#ifndef OPENSSL_NO_KRB5
-                               && !(alg_k & SSL_kKRB5)
-#endif /* OPENSSL_NO_KRB5 */
-                               )
-                               /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
-                                * even when forbidden by protocol specs
-                                * (handshake may fail as clients are not required to
-                                * be able to handle this) */
-                               s->s3->tmp.use_rsa_tmp=1;
-                       else
-                               s->s3->tmp.use_rsa_tmp=0;
+                       /*
+                        * clear this, it may get reset by
+                        * send_server_key_exchange
+                        */
+                       s->s3->tmp.use_rsa_tmp=0;
 
                        /* only send if a DH key exchange or
                         * RSA but we have a sign only certificate */
-                       if (s->s3->tmp.use_rsa_tmp
+                       if (0
                        /* PSK: send ServerKeyExchange if PSK identity
                         * hint if provided */
 #ifndef OPENSSL_NO_PSK