From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 13 Jan 2021 14:26:33 +0000 (+0100)
Subject: libtls: Reduce default max version to 1.2
X-Git-Tag: 5.9.2rc1~23^2~18
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=92aef122c3faca04d09387663f267212ffd26ca8;p=thirdparty%2Fstrongswan.git

libtls: Reduce default max version to 1.2

Using TLS 1.3 with various EAP methods is not yet fully standardized, so we
don't enable it by default yet.
---

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index eb835e88e4..fb69bd7a07 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -476,7 +476,7 @@ charon.tls.suites
 charon.tls.version_min = 1.0
 	Minimum TLS version to negotiate.
 
-charon.tls.version_max = 1.3
+charon.tls.version_max = 1.2
 	Maximum TLS version to negotiate.
 
 charon.user
diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index 4cb68ba298..8b9911a873 100644
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -468,8 +468,8 @@ static void determine_versions(private_tls_t *this)
 		}
 	}
 	if (this->version_max == TLS_UNSPEC)
-	{
-		this->version_max = TLS_SUPPORTED_MAX;
+	{	/* default to TLS 1.2 until 1.3 is stable for use in EAP */
+		this->version_max = TLS_1_2;
 
 		version_str = lib->settings->get_str(lib->settings, "%s.tls.version_max",
 											 NULL, lib->ns);