For more than 160 bits of security disable SHA1 HMAC

author Dr. Stephen Henson <steve@openssl.org>

Sat, 5 Apr 2014 12:39:35 +0000 (13:39 +0100)

committer Dr. Stephen Henson <steve@openssl.org>

Sat, 5 Apr 2014 12:39:35 +0000 (13:39 +0100)
author Dr. Stephen Henson <steve@openssl.org>
Sat, 5 Apr 2014 12:39:35 +0000 (13:39 +0100)
committer Dr. Stephen Henson <steve@openssl.org>
Sat, 5 Apr 2014 12:39:35 +0000 (13:39 +0100)
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c

index d56b2c5dd581321376ae8e2d6c62888050db9ca5..385d25f3f11435c7a11ee20643bbf2fb7b4c9743 100644 (file)
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1411,6 +1411,9 @@ static int ssl_security_default_callback(SSL *s, SSL_CTX *ctx, int op, int bits,
                 /* No MD5 mac ciphersuites */
                 if (c->algorithm_mac & SSL_MD5)
                         return 0;
+               /* SHA1 HMAC is 160 bits of security */
+               if (minbits > 160 && c->algorithm_mac & SSL_SHA1)
+                       return 0;
                 /* Level 2: no RC4 */
                 if (level >= 2 && c->algorithm_enc == SSL_RC4)
                         return 0;
author	Dr. Stephen Henson <steve@openssl.org>
	Sat, 5 Apr 2014 12:39:35 +0000 (13:39 +0100)
committer	Dr. Stephen Henson <steve@openssl.org>
	Sat, 5 Apr 2014 12:39:35 +0000 (13:39 +0100)