libtls: Reduce default max version to 1.2

Using TLS 1.3 with various EAP methods is not yet fully standardized, so we
don't enable it by default yet.

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index eb835e88e49957d11d527e9ae532c31b0f144348..fb69bd7a073c29b8cc0daa6e0ab51df269253294 100644 (file)
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -476,7 +476,7 @@ charon.tls.suites
 charon.tls.version_min = 1.0
        Minimum TLS version to negotiate.
 
-charon.tls.version_max = 1.3
+charon.tls.version_max = 1.2
        Maximum TLS version to negotiate.
 
 charon.user

diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index 4cb68ba2986631bbe6e4f415f8a9c98edb6d8223..8b9911a873bb19af4e4b8975df50fe734ed17b77 100644 (file)
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -468,8 +468,8 @@ static void determine_versions(private_tls_t *this)
                }
        }
        if (this->version_max == TLS_UNSPEC)
-       {
-               this->version_max = TLS_SUPPORTED_MAX;
+       {       /* default to TLS 1.2 until 1.3 is stable for use in EAP */
+               this->version_max = TLS_1_2;
 
                version_str = lib->settings->get_str(lib->settings, "%s.tls.version_max",
                                                                                         NULL, lib->ns);