]> git.ipfire.org Git - thirdparty/freeradius-server.git/commitdiff
projects / thirdparty / freeradius-server.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4439fd7)
slightly better
authorAlan T. DeKok <aland@freeradius.org>
Wed, 9 Jun 2021 19:17:52 +0000 (15:17 -0400)
committerAlan T. DeKok <aland@freeradius.org>
Wed, 9 Jun 2021 19:17:52 +0000 (15:17 -0400)
src/main/tls.c patch | blob | blame | history

diff --git a/src/main/tls.c b/src/main/tls.c
index 79ea187b6c0434998c8b7bbdc437b248f2203cbd..e032c408e0c1d3911ccaad7b81ceffce9fc82d4c 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -3929,14 +3929,15 @@ post_ca:
        if (max_version < TLS1_3_VERSION) ctx_options |= SSL_OP_NO_TLSv1_3;
 #endif
 
-       if (min_version == TLS1_VERSION) {
-               if (!strstr(conf->cipher_list, "DEFAULT@SECLEVEL=0")) {
-                       WARN(LOG_PREFIX ": In order to use TLS 1.0, you likely need to set: cipher_list = \"DEFAULT@SECLEVEL=0\"");
-               }
-       } else if (min_version == TLS1_1_VERSION) {
-               if (!strstr(conf->cipher_list, "DEFAULT@SECLEVEL=1")) {
-                       WARN(LOG_PREFIX ": In order to use TLS 1.1, you likely need to set: cipher_list = \"DEFAULT@SECLEVEL=1\"");
-               }
+       /*
+        *      Tell OpenSSL PRETTY PLEASE MAY WE USE TLS 1.1.
+        *
+        *      Because saying "use TLS 1.1" isn't enough.  We have to
+        *      send it flowers and cake.
+        */
+       if ((min_version <= TLS1_1_VERSION) &&
+           !strstr(conf->cipher_list, "DEFAULT@SECLEVEL=1")) {
+               WARN(LOG_PREFIX ": In order to use TLS 1.0 and/or TLS 1.1, you likely need to set: cipher_list = \"DEFAULT@SECLEVEL=1\"");
        }
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
Mirror of https://github.com/FreeRADIUS/freeradius-server.git