projects
/
openssl.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(from parent 1:
c60ebfd
)
EDH >= 1024 bits even at security level 0
author
Viktor Dukhovni
<openssl-users@dukhovni.org>
Thu, 14 Jan 2016 06:16:16 +0000
(
01:16
-0500)
committer
Viktor Dukhovni
<openssl-users@dukhovni.org>
Thu, 14 Jan 2016 16:05:24 +0000
(11:05 -0500)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
ssl/ssl_cert.c
patch
|
blob
|
history
diff --git
a/ssl/ssl_cert.c
b/ssl/ssl_cert.c
index 7f01bcc641699a8acb59392ec4f765be54b81385..75ccc72414442a8577c659959f37a15f42826485 100644
(file)
--- a/
ssl/ssl_cert.c
+++ b/
ssl/ssl_cert.c
@@
-1062,9
+1062,16
@@
static int ssl_security_default_callback(SSL *s, SSL_CTX *ctx, int op,
level = SSL_CTX_get_security_level(ctx);
else
level = SSL_get_security_level(s);
- /* Level 0: anything goes */
- if (level <= 0)
+
+ if (level <= 0) {
+ /*
+ * No EDH keys weaker than 1024-bits even at level 0, otherwise,
+ * anything goes.
+ */
+ if (op == SSL_SECOP_TMP_DH && bits < 80)
+ return 0;
return 1;
+ }
if (level > 5)
level = 5;
minbits = minbits_table[level - 1];