OpenSSL: Allow TLS v1.1 and v1.2 to be negotiated by default

Use SSLv23_method() to enable TLS version negotiation for any version
equal to or newer than 1.0. If the old behavior is needed as a
workaround for some broken authentication servers, it can be configured
with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1".

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index c9e5611202f668a3bc8138c47a228c694b314d7f..a23898250a9690be0ac92271c1fe55d37c6f7ad2 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -810,7 +810,7 @@ void * tls_init(const struct tls_config *conf)
        }
        tls_openssl_ref_count++;
 
-       ssl = SSL_CTX_new(TLSv1_method());
+       ssl = SSL_CTX_new(SSLv23_method());
        if (ssl == NULL) {
                tls_openssl_ref_count--;
 #ifdef OPENSSL_SUPPORTS_CTX_APP_DATA
@@ -824,6 +824,9 @@ void * tls_init(const struct tls_config *conf)
                return NULL;
        }
 
+       SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
+       SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
+
        SSL_CTX_set_info_callback(ssl, ssl_info_cb);
 #ifdef OPENSSL_SUPPORTS_CTX_APP_DATA
        SSL_CTX_set_app_data(ssl, context);