38 lines
1.2 KiB
C
38 lines
1.2 KiB
C
$NetBSD: patch-src_main.c,v 1.1 2015/09/23 08:32:15 manu Exp $
|
|
|
|
From upstream:
|
|
Negotiate highest TLS protocol possible, with TLSv1.0 being the minium.
|
|
|
|
--- src/main.c.orig 2015-09-23 09:44:41.000000000 +0200
|
|
+++ src/main.c 2015-09-23 09:49:30.000000000 +0200
|
|
@@ -479,17 +479,24 @@
|
|
RAND_write_file( f_randfile );
|
|
}
|
|
|
|
SSL_load_error_strings();
|
|
- tls_ctx = SSL_CTX_new( TLSv1_client_method() );
|
|
+
|
|
+ /*
|
|
+ * Despite its name, SSLv23_client_method() negociates highest
|
|
+ * version possible, which includes TLSv1.0, TLSv1.1, and TLSv1.2.
|
|
+ * SSLv2 and SSLv3 are disabled using SSL_OP_NO_SSLv2 and
|
|
+ * SSL_OP_NO_SSLv3 below.
|
|
+ */
|
|
+ tls_ctx = SSL_CTX_new( SSLv23_client_method() );
|
|
if ( tls_ctx == NULL )
|
|
- {
|
|
+ {
|
|
syslog(LOG_ERR, "%s: Failed to create new SSL_CTX. Exiting.", fn);
|
|
exit( 1 );
|
|
}
|
|
-
|
|
- /* Work around all known bugs */
|
|
- SSL_CTX_set_options( tls_ctx, SSL_OP_ALL );
|
|
+
|
|
+ /* Work around all known bugs, disable SSLv2 and SSLv3 */
|
|
+ SSL_CTX_set_options( tls_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 );
|
|
|
|
if ( ! SSL_CTX_load_verify_locations( tls_ctx,
|
|
PC_Struct.tls_ca_file,
|
|
PC_Struct.tls_ca_path ) ||
|