From: Jouni Malinen <j@w1.fi>
Date: Sat, 15 Nov 2014 10:35:10 +0000 (+0200)
Subject: OpenSSL: Allow TLS v1.1 and v1.2 to be negotiated by default
X-Git-Tag: hostap_2_4~1158
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=35efa2479ff19c3f13e69dc50d2708ce79a99beb;p=thirdparty%2Fhostap.git

OpenSSL: Allow TLS v1.1 and v1.2 to be negotiated by default

Use SSLv23_method() to enable TLS version negotiation for any version
equal to or newer than 1.0. If the old behavior is needed as a
workaround for some broken authentication servers, it can be configured
with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1".

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index c9e561120..a23898250 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -810,7 +810,7 @@ void * tls_init(const struct tls_config *conf)
 	}
 	tls_openssl_ref_count++;
 
-	ssl = SSL_CTX_new(TLSv1_method());
+	ssl = SSL_CTX_new(SSLv23_method());
 	if (ssl == NULL) {
 		tls_openssl_ref_count--;
 #ifdef OPENSSL_SUPPORTS_CTX_APP_DATA
@@ -824,6 +824,9 @@ void * tls_init(const struct tls_config *conf)
 		return NULL;
 	}
 
+	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
+	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
+
 	SSL_CTX_set_info_callback(ssl, ssl_info_cb);
 #ifdef OPENSSL_SUPPORTS_CTX_APP_DATA
 	SSL_CTX_set_app_data(ssl, context);