git.ipfire.org Git - thirdparty/openssl.git/commit

author	Viktor Dukhovni <openssl-users@dukhovni.org>
	Sat, 7 Feb 2026 03:25:09 +0000 (14:25 +1100)
committer	Tomas Mraz <tomas@openssl.org>
	Mon, 9 Feb 2026 08:53:18 +0000 (09:53 +0100)
commit	fb0a105e25c428e6f1fa16f0ce55f9f6934080f3
tree	00c7c68edf2cb16ee6d7a4aa539a73b3c78380da	tree
parent	5cc7ae3e4a06913ec96abc34dc2c7d161c9f3fc9	commit \| diff

Fix cross-version compatibility in RFC7919 changes

- Older versions of, e.g., the FIPS provider report the minimum
  TLS version of the FFDHE groups as TLS 1.3, but we now need to
  support these in TLS 1.2.

- Older OpenSSL runtimes may not be prepared to support the FFDHE groups
  in TLS 1.2.

Therefore, instead of changing the default and FIPS providers to
advertise these groups as TLS 1.2 compatible, leave the capabilities
unchanged, and instead adjust the min(d)tls value when processing the
provider's capabilities in the new runtime.

This ensures cross-compatibility with everything except previous master
branch dev snapshots, but that's not a concern.

Fixes: #29958
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Feb  9 08:53:54 2026
(Merged from https://github.com/openssl/openssl/pull/29962)

providers/common/capabilities.c		diff \| blob \| blame \| history
ssl/t1_lib.c		diff \| blob \| blame \| history