Set security level in cipher string.

[openssl.git] / ssl / s23_srvr.c

diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 48778490135eb01130dcf009c3dda7534ffb341b..cb2b138f08d573f8b01782a9ed700a51fff31d44 100644 (file)
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -425,6 +425,13 @@ int ssl23_get_client_hello(SSL *s)
                        }
                }
 
+       if (s->version < TLS1_2_VERSION && tls1_suiteb(s))
+               {
+               SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
+                               SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
+               goto err;
+               }
+
 #ifdef OPENSSL_FIPS
        if (FIPS_mode() && (s->version < TLS1_VERSION))
                {
@@ -434,6 +441,12 @@ int ssl23_get_client_hello(SSL *s)
                }
 #endif
 
+       if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL))
+               {
+               SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_VERSION_TOO_LOW);
+               goto err;
+               }
+
        if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
                {
                /* we have SSLv3/TLSv1 in an SSLv2 header