mirror/openvpn3
0
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn3.git synced 2024-09-20 12:12:15 +02:00
Code

[OVPN3-327] OpenSSL: ensure >TLS1.0 is negotiated by default

Browse Source 
When no special setting is given, OpenSSL should negotiate any possible
TLS version rather than forcing TLS1.0 only.

TLS1.0 should be forced only when the user selects force_aes_cbc AND
does not specify any minimum TLS version higher than 1.0, OR when
tls-max is set to TLS1.0.

However, we should note that PureTLS does not rely on user settings, but
it uses its own hardcoded config (aka the currently buggy default SSL
settings); for this reason this patch fixes PureTLs when the server
does not want to support TLS1.0.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
This commit is contained in:
Antonio Quartulli 2018-10-18 21:53:45 +08:00
parent d9b1f78b69
commit fbcd374a4d
No known key found for this signature in database
GPG Key ID: F4556C5945830E6D
1 changed files with 12 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
openvpn/openssl/ssl/sslctx.hpp
View File

@ -867,7 +867,7 @@ namespace openvpn {
try
{
// Create new SSL_CTX for server or client mode
const bool ssl23 = (config->force_aes_cbc_ciphersuites || (config->tls_version_min > TLSVersion::UNDEF));
const bool ssl23 = (!config->force_aes_cbc_ciphersuites || (config->tls_version_min > TLSVersion::UNDEF));
if (config->mode.is_server())
{
ctx = SSL_CTX_new(ssl23 ? SSL::ssl23_method_server() : TLSv1_server_method());
@ -910,20 +910,17 @@ namespace openvpn {
if (ssl23)
{
sslopt |= SSL_OP_NO_SSLv2;
if (!config->force_aes_cbc_ciphersuites || config->tls_version_min > TLSVersion::UNDEF)
{
sslopt |= SSL_OP_NO_SSLv3;
if (config->tls_version_min > TLSVersion::V1_0)
sslopt |= SSL_OP_NO_TLSv1;
# ifdef SSL_OP_NO_TLSv1_1
if (config->tls_version_min > TLSVersion::V1_1)
sslopt |= SSL_OP_NO_TLSv1_1;
# endif
# ifdef SSL_OP_NO_TLSv1_2
if (config->tls_version_min > TLSVersion::V1_2)
sslopt |= SSL_OP_NO_TLSv1_2;
# endif
}
sslopt |= SSL_OP_NO_SSLv3;
if (config->tls_version_min > TLSVersion::V1_0)
sslopt |= SSL_OP_NO_TLSv1;
# ifdef SSL_OP_NO_TLSv1_1
if (config->tls_version_min > TLSVersion::V1_1)
sslopt |= SSL_OP_NO_TLSv1_1;
# endif
# ifdef SSL_OP_NO_TLSv1_2
if (config->tls_version_min > TLSVersion::V1_2)
sslopt |= SSL_OP_NO_TLSv1_2;
# endif
}
SSL_CTX_set_options(ctx, sslopt);