Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- diff --git a/src/main/tls.c b/src/main/tls.c
- index cb6d0454c3..96f23112df 100644
- --- a/src/main/tls.c
- +++ b/src/main/tls.c
- @@ -2954,29 +2954,6 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client)
- return NULL;
- }
- -#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- - /*
- - * OpenSSL appears to have a bug where it does
- - * not allow PSK and certs to be used at the same
- - * time. RFC 8446 Section 2 (page 12) says:
- - *
- - * "Note that implementations can use (EC)DHE and PSK
- - * together, in which case both extensions will be supplied."
- - *
- - * Instead of having weird failures, we just warn
- - * the end user.
- - */
- - if (((conf->psk_identity || conf->psk_password || conf->psk_query)) &&
- - (conf->certificate_file || conf->private_key_password || conf->private_key_file)) {
- - radlog(L_DBG | L_WARN, "Disabling TLS 1.3 due to PSK and certificates being configured simultaneousy. This is not supported by OpenSSL");
- -
- - if (!SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION)) {
- - ERROR("Failed setting maximum TLS version to 1.2 for OpenSSL 1.1, due to PSK and certs.");
- - return NULL;
- - }
- - }
- -#endif /* OpenSSL version >1.1.0 */
- -
- goto post_ca;
- }
- #else
- @@ -3124,6 +3101,24 @@ post_ca:
- }
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L
- + /*
- + * OpenSSL appears to have a bug where it does
- + * not allow PSK and certs to be used at the same
- + * time. RFC 8446 Section 2 (page 12) says:
- + *
- + * "Note that implementations can use (EC)DHE and PSK
- + * together, in which case both extensions will be supplied."
- + *
- + * Instead of having weird failures, we just warn
- + * the end user.
- + */
- + if ((conf->psk_identity || conf->psk_password || conf->psk_query) &&
- + (conf->certificate_file || conf->private_key_password || conf->private_key_file) &&
- + (max_version == TLS1_3_VERSION)) {
- + radlog(L_DBG | L_WARN, "Disabling TLS 1.3 due to PSK and certificates being configured simultaneousy. This is not supported by OpenSSL");
- + max_version = TLS1_2_VERSION;
- + }
- +
- if (!SSL_CTX_set_max_proto_version(ctx, max_version)) {
- ERROR("Failed setting TLS maximum version");
- return NULL;
Add Comment
Please, Sign In to add comment