Require BLE 4.2 key exchange but not MITM

Question

I have an application which requires protection from passive eavesdropping, but not man in the middle attacks. I want to enforce the use of diffie hellman key exchange. 
 Security Mode 1 Level 4 does enforce diffie hellman key exchange, but it also enforces man in the middle protection. I really only need Security Mode 1 Level 2, but with Secure Connection support. 
 I thought about checking the lesc field in the data for the BLE_GAP_EVT_SEC_PARAMS_REQUEST event. However, sd_ble_gap_sec_params_reply returns NRF_ERROR_INVALID_STATE. I'm using Peer Manager, which is presumably already calling this function. 
 BLE_GATTS_EVT_RW_AUTHORIZE_REQUEST looks capable of doing what I want, but I wanted to check if there was a way which involved configuration only. Any suggestions? 
 I'm using SDK 13.0.0 and softdevice s140 5.0.0-2.alpha on the nRF52840.

Petter Myhre · Accepted Answer

I'm very very sorry, I was totally mistaken. If you do LESC just works you actually end up in security level 2, which actually makes sense, since it is unauthenticated. 
 It is a bit cumbersome to know if legacy pairing just works or LESC pairing just works have been performed, but you can check that the LESC flag when you get the BLE_GAP_EVT_SEC_PARAMS_REQUEST event, and then sd_ble_gap_sec_params_reply() will also need to have the LESC flag set (which Peer Manager will do for you if you tell it to in peer_manager_init()). 
 Also, when doing LESC you will get the BLE_GAP_EVT_LESC_DHKEY_REQUEST event, but not in legacy. 
 I think this information should be available when you get the BLE_GAP_EVT_AUTH_STATUS event, and I have reported this internally. 
 Again, sorry for misinforming you. Let me know if anything is unclear.