From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 27 Jan 2021 13:40:22 +0000 (+0100)
Subject: libtls: Increase default min version to 1.2
X-Git-Tag: 5.9.2rc1~23^2~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a60e248b0d26f77f05be669559ef714c429172d7;p=thirdparty%2Fstrongswan.git

libtls: Increase default min version to 1.2

The older versions are generally considered deprecated (there is an
Internet-Draft that aims to do that formally).
---

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index dd972649ba..868ee1d056 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -479,7 +479,7 @@ charon.tls.send_certreq_authorities = yes
 	Whether to include CAs in a server's CertificateRequest message. May be
 	disabled if clients can't handle a long list of CAs.
 
-charon.tls.version_min = 1.0
+charon.tls.version_min = 1.2
 	Minimum TLS version to negotiate.
 
 charon.tls.version_max = 1.2
diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index da45f4b99d..ae14213a03 100644
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -463,8 +463,8 @@ static void determine_versions(private_tls_t *this)
 	char *version_str;
 
 	if (this->version_min == TLS_UNSPEC)
-	{
-		this->version_min = TLS_SUPPORTED_MIN;
+	{	/* default to TLS 1.2 as older versions are considered deprecated */
+		this->version_min = TLS_1_2;
 
 		version_str = lib->settings->get_str(lib->settings, "%s.tls.version_min",
 											 NULL, lib->ns);