Do not allow non-dhe kex_modes by default Allow that mode to be configured if desired. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3833)

commit: e3c0d76bc7848aae01fe9a86720d435b999f3bc1 [log] [tgz]
author: Matt Caswell <matt@openssl.org> Fri Jun 30 09:41:03 2017 +0100
committer: Matt Caswell <matt@openssl.org> Fri Jul 07 16:08:05 2017 +0100
tree: 7b4e014eee678d04c4bef40ccfa1da623a5c6009
parent: 515982154031b679f58d5e2cbd7752294779221e [diff] [blame]
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 3da9f55..7f30ac7 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c

@@ -477,7 +477,8 @@
     while (PACKET_get_1(&psk_kex_modes, &mode)) {
         if (mode == TLSEXT_KEX_MODE_KE_DHE)
             s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
-        else if (mode == TLSEXT_KEX_MODE_KE)
+        else if (mode == TLSEXT_KEX_MODE_KE
+                && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
             s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
     }
 #endif
commit	e3c0d76bc7848aae01fe9a86720d435b999f3bc1	[log] [tgz]
author	Matt Caswell <matt@openssl.org>	Fri Jun 30 09:41:03 2017 +0100
committer	Matt Caswell <matt@openssl.org>	Fri Jul 07 16:08:05 2017 +0100
tree	7b4e014eee678d04c4bef40ccfa1da623a5c6009
parent	515982154031b679f58d5e2cbd7752294779221e [diff] [blame]