ssl: Support check should check minimum support

Will make TLS-1.3 work with fips
erlang · May 23, 2024 · e43ea5e · e43ea5e
1 parent 412bff5
commit e43ea5e
Showing 1 changed file with 4 additions and 7 deletions.
diff --git a/lib/ssl/src/tls_record.erl b/lib/ssl/src/tls_record.erl
@@ -430,20 +430,17 @@ sufficient_crypto_support(CryptoSupport, 'tlsv1.3') ->
     Fun = fun({Group, Algorithm}) ->
                   is_algorithm_supported(CryptoSupport, Group, Algorithm)
           end,
+    %% Make check minimal support check
     L = [{ciphers, aes_gcm},                %% TLS_AES_*_GCM_*
-         {ciphers, chacha20_poly1305},      %% TLS_CHACHA20_POLY1305_SHA256
-         {hashs, sha256},                   %% TLS_AES_128_GCM_SHA256
-         {hashs, sha384},                   %% TLS_AES_256_GCM_SHA384
+         {hashs, sha128},                   %%
+         {hashs, sha256},
          {rsa_opts, rsa_pkcs1_padding},     %% rsa_pkcs1_sha256
          {rsa_opts, rsa_pkcs1_pss_padding}, %% rsa_pss_rsae_*
          {rsa_opts, rsa_pss_saltlen},       %% rsa_pss_rsae_*
          {public_keys, ecdh},
-         {public_keys, dh},
          {public_keys, rsa},
          {public_keys, ecdsa},
-         %% {public_keys, eddsa},  %% TODO
-         {curves, secp256r1},               %% key exchange with secp256r1
-         {curves, x25519}],                 %% key exchange with X25519
+         {curves, secp256r1}]               %% key exchange with secp256r1
     lists:all(Fun, L);
 sufficient_crypto_support(CryptoSupport, Version) ->
     sufficient_crypto_support(CryptoSupport, protocol_version(Version)).