From 3e237a75859f1499baa0a7c3ed9428aecc6decb3 Mon Sep 17 00:00:00 2001
From: Daniel Lenski <dlenski@gmail.com>
Date: Thu, 21 Jan 2021 16:21:01 -0800
Subject: [PATCH] only set OpenSSL security level to 0 when
 --allow-insecure-crypto is specified

See discussions on https://gitlab.com/openconnect/openconnect/-/issues/211 for rationale.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
---
 openssl.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/openssl.c b/openssl.c
index 5f71139e..26ac750e 100644
--- a/openssl.c
+++ b/openssl.c
@@ -1699,14 +1699,16 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 #endif
 
 #if OPENSSL_VERSION_NUMBER >= 0x010100000L
-		/* OpenSSL versions after 1.1.0 added the notion of a "security level"
-		 * that enforces checks on certificates and ciphers.
-		 * These security levels overlap in functionality with the ciphersuite
-		 * priority/allow-strings.
-		 *
-		 * For now we will set the security level to 0, thus reverting
-		 * to the functionality seen in versions before 1.1.0. */
-		SSL_CTX_set_security_level(vpninfo->https_ctx, 0);
+		if (vpninfo->allow_insecure_crypto) {
+			/* OpenSSL versions after 1.1.0 added the notion of a "security level"
+			 * that enforces checks on certificates and ciphers.
+			 * These security levels overlap in functionality with the ciphersuite
+			 * priority/allow-strings.
+			 *
+			 * For now we will set the security level to 0, thus reverting
+			 * to the functionality seen in versions before 1.1.0. */
+			SSL_CTX_set_security_level(vpninfo->https_ctx, 0);
+		}
 #endif
 
 		if (vpninfo->cert) {