42 lines
1.5 KiB
Diff
42 lines
1.5 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Jouni Malinen <quic_jouni@quicinc.com>
|
|
Date: Wed, 30 Nov 2022 14:01:55 +0200
|
|
Subject: [PATCH] OpenSSL: Apply connection flags before reading certificates
|
|
|
|
This is needed to be able to drop the OpenSSL security level, if
|
|
necessary, for cases where old certificates (e.g., something using SHA-1
|
|
signatures) are still needed. openssl_ciphers="DEFAULT@SECLEVEL=0" can
|
|
achieve this, but only if applied before attempting to load the
|
|
certificates.
|
|
|
|
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
|
|
---
|
|
src/crypto/tls_openssl.c | 8 ++++----
|
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
|
|
index dad1135c692d..7a929450b949 100644
|
|
--- a/src/crypto/tls_openssl.c
|
|
+++ b/src/crypto/tls_openssl.c
|
|
@@ -5203,6 +5203,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
|
|
__func__, ERR_error_string(err, NULL));
|
|
}
|
|
|
|
+ if (tls_set_conn_flags(conn, params->flags,
|
|
+ params->openssl_ciphers) < 0)
|
|
+ return -1;
|
|
+
|
|
if (engine_id) {
|
|
wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine %s",
|
|
engine_id);
|
|
@@ -5308,10 +5312,6 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
|
|
#endif /* OPENSSL_IS_BORINGSSL */
|
|
}
|
|
|
|
- if (tls_set_conn_flags(conn, params->flags,
|
|
- params->openssl_ciphers) < 0)
|
|
- return -1;
|
|
-
|
|
#ifdef OPENSSL_IS_BORINGSSL
|
|
if (params->flags & TLS_CONN_REQUEST_OCSP) {
|
|
SSL_enable_ocsp_stapling(conn->ssl);
|