mirror of
https://github.com/OpenVPN/openvpn3.git
synced 2024-09-20 12:12:15 +02:00
[OVPN3-327] OpenSSL: ensure >TLS1.0 is negotiated by default
When no special setting is given, OpenSSL should negotiate any possible TLS version rather than forcing TLS1.0 only. TLS1.0 should be forced only when the user selects force_aes_cbc AND does not specify any minimum TLS version higher than 1.0, OR when tls-max is set to TLS1.0. However, we should note that PureTLS does not rely on user settings, but it uses its own hardcoded config (aka the currently buggy default SSL settings); for this reason this patch fixes PureTLs when the server does not want to support TLS1.0. Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
This commit is contained in:
parent
d9b1f78b69
commit
fbcd374a4d
@ -867,7 +867,7 @@ namespace openvpn {
|
||||
try
|
||||
{
|
||||
// Create new SSL_CTX for server or client mode
|
||||
const bool ssl23 = (config->force_aes_cbc_ciphersuites || (config->tls_version_min > TLSVersion::UNDEF));
|
||||
const bool ssl23 = (!config->force_aes_cbc_ciphersuites || (config->tls_version_min > TLSVersion::UNDEF));
|
||||
if (config->mode.is_server())
|
||||
{
|
||||
ctx = SSL_CTX_new(ssl23 ? SSL::ssl23_method_server() : TLSv1_server_method());
|
||||
@ -910,20 +910,17 @@ namespace openvpn {
|
||||
if (ssl23)
|
||||
{
|
||||
sslopt |= SSL_OP_NO_SSLv2;
|
||||
if (!config->force_aes_cbc_ciphersuites || config->tls_version_min > TLSVersion::UNDEF)
|
||||
{
|
||||
sslopt |= SSL_OP_NO_SSLv3;
|
||||
if (config->tls_version_min > TLSVersion::V1_0)
|
||||
sslopt |= SSL_OP_NO_TLSv1;
|
||||
# ifdef SSL_OP_NO_TLSv1_1
|
||||
if (config->tls_version_min > TLSVersion::V1_1)
|
||||
sslopt |= SSL_OP_NO_TLSv1_1;
|
||||
# endif
|
||||
# ifdef SSL_OP_NO_TLSv1_2
|
||||
if (config->tls_version_min > TLSVersion::V1_2)
|
||||
sslopt |= SSL_OP_NO_TLSv1_2;
|
||||
# endif
|
||||
}
|
||||
sslopt |= SSL_OP_NO_SSLv3;
|
||||
if (config->tls_version_min > TLSVersion::V1_0)
|
||||
sslopt |= SSL_OP_NO_TLSv1;
|
||||
# ifdef SSL_OP_NO_TLSv1_1
|
||||
if (config->tls_version_min > TLSVersion::V1_1)
|
||||
sslopt |= SSL_OP_NO_TLSv1_1;
|
||||
# endif
|
||||
# ifdef SSL_OP_NO_TLSv1_2
|
||||
if (config->tls_version_min > TLSVersion::V1_2)
|
||||
sslopt |= SSL_OP_NO_TLSv1_2;
|
||||
# endif
|
||||
}
|
||||
SSL_CTX_set_options(ctx, sslopt);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user