Tolerate a Certificate using a non-supported group on server side If a server has been configured to use an ECDSA certificate, we should allow it regardless of whether the server's own supported groups list includes the certificate's group. Fixes #2033 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5601)
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index e940fc8..29db4bc 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c
@@ -2192,7 +2192,8 @@ * Check curve is named curve type and one of our preferences, if not * server has sent an invalid curve. */ - if (curve_type != NAMED_CURVE_TYPE || !tls1_check_group_id(s, curve_id)) { + if (curve_type != NAMED_CURVE_TYPE + || !tls1_check_group_id(s, curve_id, 1)) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_WRONG_CURVE); return 0;