From: Alan T. DeKok <aland@freeradius.org>
Date: Wed, 9 Jun 2021 19:14:52 +0000 (-0400)
Subject: warn about TLS versions and cipher_list
X-Git-Tag: release_3_0_23~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4439fd7723c8f3e17df372bd458b4141cc171739;p=thirdparty%2Ffreeradius-server.git

warn about TLS versions and cipher_list
---

diff --git a/src/main/tls.c b/src/main/tls.c
index f71c864767..79ea187b6c 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -3929,6 +3929,16 @@ post_ca:
 	if (max_version < TLS1_3_VERSION) ctx_options |= SSL_OP_NO_TLSv1_3;
 #endif
 
+	if (min_version == TLS1_VERSION) {
+		if (!strstr(conf->cipher_list, "DEFAULT@SECLEVEL=0")) {
+			WARN(LOG_PREFIX ": In order to use TLS 1.0, you likely need to set: cipher_list = \"DEFAULT@SECLEVEL=0\"");
+		}
+	} else if (min_version == TLS1_1_VERSION) {
+		if (!strstr(conf->cipher_list, "DEFAULT@SECLEVEL=1")) {
+			WARN(LOG_PREFIX ": In order to use TLS 1.1, you likely need to set: cipher_list = \"DEFAULT@SECLEVEL=1\"");
+		}
+	}
+
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 	if (conf->disable_tlsv1) {
 		WARN(LOG_PREFIX ": Please use 'tls_min_version' and 'tls_max_version' instead of 'disable_tlsv1'");