From 35efa2479ff19c3f13e69dc50d2708ce79a99beb Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 15 Nov 2014 12:35:10 +0200 Subject: [PATCH] OpenSSL: Allow TLS v1.1 and v1.2 to be negotiated by default Use SSLv23_method() to enable TLS version negotiation for any version equal to or newer than 1.0. If the old behavior is needed as a workaround for some broken authentication servers, it can be configured with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1". Signed-off-by: Jouni Malinen --- src/crypto/tls_openssl.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index c9e561120..a23898250 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -810,7 +810,7 @@ void * tls_init(const struct tls_config *conf) } tls_openssl_ref_count++; - ssl = SSL_CTX_new(TLSv1_method()); + ssl = SSL_CTX_new(SSLv23_method()); if (ssl == NULL) { tls_openssl_ref_count--; #ifdef OPENSSL_SUPPORTS_CTX_APP_DATA @@ -824,6 +824,9 @@ void * tls_init(const struct tls_config *conf) return NULL; } + SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2); + SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3); + SSL_CTX_set_info_callback(ssl, ssl_info_cb); #ifdef OPENSSL_SUPPORTS_CTX_APP_DATA SSL_CTX_set_app_data(ssl, context);