warn about TLS versions and cipher_list

author Alan T. DeKok <aland@freeradius.org>

Wed, 9 Jun 2021 19:14:52 +0000 (15:14 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Wed, 9 Jun 2021 19:14:52 +0000 (15:14 -0400)
author Alan T. DeKok <aland@freeradius.org>
Wed, 9 Jun 2021 19:14:52 +0000 (15:14 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Wed, 9 Jun 2021 19:14:52 +0000 (15:14 -0400)
diff --git a/src/main/tls.c b/src/main/tls.c

index f71c86476763907232b23ede429911d6dc3133ed..79ea187b6c0434998c8b7bbdc437b248f2203cbd 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -3929,6 +3929,16 @@ post_ca:
         if (max_version < TLS1_3_VERSION) ctx_options |= SSL_OP_NO_TLSv1_3;
  #endif
  
+       if (min_version == TLS1_VERSION) {
+               if (!strstr(conf->cipher_list, "DEFAULT@SECLEVEL=0")) {
+                       WARN(LOG_PREFIX ": In order to use TLS 1.0, you likely need to set: cipher_list = \"DEFAULT@SECLEVEL=0\"");
+               }
+       } else if (min_version == TLS1_1_VERSION) {
+               if (!strstr(conf->cipher_list, "DEFAULT@SECLEVEL=1")) {
+                       WARN(LOG_PREFIX ": In order to use TLS 1.1, you likely need to set: cipher_list = \"DEFAULT@SECLEVEL=1\"");
+               }
+       }
+
  #if OPENSSL_VERSION_NUMBER >= 0x10100000L
         if (conf->disable_tlsv1) {
                 WARN(LOG_PREFIX ": Please use 'tls_min_version' and 'tls_max_version' instead of 'disable_tlsv1'");
author	Alan T. DeKok <aland@freeradius.org>
	Wed, 9 Jun 2021 19:14:52 +0000 (15:14 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Wed, 9 Jun 2021 19:14:52 +0000 (15:14 -0400)