OpenSSL: Update security level drop for TLS 1.0/1.1 with OpenSSL 3.0

OpenSSL 3.0 dropped these older TLS versions from the security level 2
to 1, so need to drop the security level all the way to 0 if TLS v1.0 or
v1.1 is explicitly enabled.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index ad651bdc8e206395d9f48d6125bd9b6b74d1cb52..c9e00b3af8555f134e59cc2dca7498b9d060ff67 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3023,13 +3023,23 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
        !defined(LIBRESSL_VERSION_NUMBER) && \
        !defined(OPENSSL_IS_BORINGSSL)
-       if ((flags & (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
-           SSL_get_security_level(ssl) >= 2) {
-               /*
-                * Need to drop to security level 1 to allow TLS versions older
-                * than 1.2 to be used when explicitly enabled in configuration.
-                */
-               SSL_set_security_level(conn->ssl, 1);
+       {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+               int need_level = 0;
+#else
+               int need_level = 1;
+#endif
+
+               if ((flags &
+                    (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
+                   SSL_get_security_level(ssl) > need_level) {
+                       /*
+                        * Need to drop to security level 1 (or 0  with OpenSSL
+                        * 3.0) to allow TLS versions older than 1.2 to be used
+                        * when explicitly enabled in configuration.
+                        */
+                       SSL_set_security_level(conn->ssl, need_level);
+               }
        }
 #endif