diff options
| author | Kurt Roeckx <kurt@roeckx.be> | 2020-01-02 23:25:27 +0100 |
|---|---|---|
| committer | Kurt Roeckx <kurt@roeckx.be> | 2020-06-27 08:41:40 +0200 |
| commit | aba03ae571ea677fc484daef00a21ca8f7e82708 (patch) | |
| tree | bf3f446083418e99c72828d32986d616c2e4c66b /test/sslapitest.c | |
| parent | Fix syntax of cipher string (diff) | |
| download | openssl-aba03ae571ea677fc484daef00a21ca8f7e82708.tar.xz openssl-aba03ae571ea677fc484daef00a21ca8f7e82708.zip | |
Reduce the security bits for MD5 and SHA1 based signatures in TLS
This has as effect that SHA1 and MD5+SHA1 are no longer supported at
security level 1, and that TLS < 1.2 is no longer supported at the
default security level of 1, and that you need to set the security
level to 0 to use TLS < 1.2.
Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #10787
Diffstat (limited to 'test/sslapitest.c')
| -rw-r--r-- | test/sslapitest.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/test/sslapitest.c b/test/sslapitest.c index 989d041a17..30dcae3fb1 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -5567,6 +5567,10 @@ static int test_export_key_mat(int tst) OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols)); SSL_CTX_set_max_proto_version(cctx, protocols[tst]); SSL_CTX_set_min_proto_version(cctx, protocols[tst]); + if ((protocols[tst] < TLS1_2_VERSION) && + (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0") + || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))) + goto end; if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) |