pike.git / lib / modules / SSL.pmod / Session.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Session.pike:353:    }   #endif       if (!sizeof(ffdhe_groups)) {    // The client doesn't support the same set of Finite Field    // Diffie-Hellman groups as we do, so filter DHE.    ke_mask &= ~((1<<KE_dhe_dss)|(1<<KE_dhe_rsa)|    (1<<KE_dh_anon)|(1<<KE_dhe_psk));    }    +  if (version >= PROTOCOL_TLS_1_3) { +  // TLS 1.3 and later only support ephemeral keyexchanges. +  ke_mask &= ((1<<KE_dhe_dss)|(1<<KE_dhe_rsa)|(1<<KE_dh_anon)| +  (1<<KE_ecdhe_ecdsa)|(1<<KE_ecdhe_rsa)|(1<<KE_ecdh_anon)); +  } +     // Given the set of certs, filter the set of client_suites,    // to find the best.    cipher_suites =    filter(cipher_suites, is_supported_suite, ke_mask, version);       if (!sizeof(cipher_suites)) {    SSL3_DEBUG_MSG("No suites left after certificate filtering.\n");    return 0;    }