summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/algorithms/ciphersuites.c2
-rw-r--r--tests/psk-file.c2
2 files changed, 2 insertions, 2 deletions
diff --git a/lib/algorithms/ciphersuites.c b/lib/algorithms/ciphersuites.c
index ac1fdf9f41..4e840bdd8b 100644
--- a/lib/algorithms/ciphersuites.c
+++ b/lib/algorithms/ciphersuites.c
@@ -1581,7 +1581,7 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session,
* incompatible certificate which we traditionally return GNUTLS_E_INSUFFICIENT_SECURITY.
*/
if (!no_cert_found && (session->internals.hsk_flags & HSK_HAVE_FFDHE) &&
- session->internals.priorities->groups.have_ffdhe)
+ session->internals.priorities->groups.have_ffdhe && !version->tls13_sem)
return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);
else
return gnutls_assert_val(GNUTLS_E_NO_CIPHER_SUITES);
diff --git a/tests/psk-file.c b/tests/psk-file.c
index e1e058ffe9..5bd01e42ce 100644
--- a/tests/psk-file.c
+++ b/tests/psk-file.c
@@ -381,7 +381,7 @@ void doit(void)
"NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+PSK:+DHE-PSK:%SERVER_PRECEDENCE:-GROUP-DH-ALL",
"jas", &key, 0, GNUTLS_KX_PSK, 0, 0);
/* try with PRF that doesn't match binder (SHA256) */
- run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM:+PSK:+DHE-PSK", NULL, "jas", &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_INSUFFICIENT_SECURITY);
+ run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM:+PSK:+DHE-PSK", NULL, "jas", &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_NO_CIPHER_SUITES);
/* try with no groups and PSK */
run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:-GROUP-ALL", "jas", &key, 0, 0);
/* try without any groups but DHE-PSK */