Fix the "default" tls-version-min setting

commit 968569f83b defined TLS 1.2 as the minimum version if not set by user. But the patch introduced two errors: (i) ssl_flags is overwritten without regard to other options set in the flags (ii) Any tls-version-max set by the user is not taken into account. Makes it impossible to set tls-version-max without also setting tls-version-min along with loss of other bits set in ssl_flags. Fix it. The fix retains the original intent when possible, and tries to use the maximum possible value when it cannot be set to TLS 1.2 without conflicting with user-specified tls-version-max, if any. Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20211015043227.10679-1-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22939.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2024-09-20 03:52:28 +02:00 · 2021-10-15 00:32:27 -04:00 · 2021-10-15 00:32:27 -04:00 · 51be733ba2
commit 51be733ba2
parent dd73b620f2
1 changed files with 10 additions and 3 deletions
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@ -3167,15 +3167,22 @@ options_set_backwards_compatible_options(struct options *o)
    /* TLS min version is not set */
    if ((o->ssl_flags & SSLF_TLS_VERSION_MIN_MASK) == 0)
    {
+        int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
+                          & SSLF_TLS_VERSION_MAX_MASK;
        if (need_compatibility_before(o, 20307))
        {
            /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
-            o->ssl_flags = (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT);
+            o->ssl_flags |= (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT);
+        }
+        else if (tls_ver_max == 0 || tls_ver_max >= TLS_VER_1_2)
+        {
+            /* Use TLS 1.2 as proper default */
+            o->ssl_flags |= (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT);
        }
        else
        {
-            /* Use TLS 1.2 as proper default */
-            o->ssl_flags = (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT);
+            /* Maximize the minimum version */
+            o->ssl_flags |= (tls_ver_max << SSLF_TLS_VERSION_MIN_SHIFT);
        }
    }