From 7cdb42d134bb8d64e3aa7f3966fae9e74aebcdd6 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Wed, 9 Jun 2021 15:17:52 -0400
Subject: [PATCH] slightly better

---
 src/main/tls.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/src/main/tls.c b/src/main/tls.c
index 79ea187b6c..e032c408e0 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -3929,14 +3929,15 @@ post_ca:
 	if (max_version < TLS1_3_VERSION) ctx_options |= SSL_OP_NO_TLSv1_3;
 #endif
 
-	if (min_version == TLS1_VERSION) {
-		if (!strstr(conf->cipher_list, "DEFAULT@SECLEVEL=0")) {
-			WARN(LOG_PREFIX ": In order to use TLS 1.0, you likely need to set: cipher_list = \"DEFAULT@SECLEVEL=0\"");
-		}
-	} else if (min_version == TLS1_1_VERSION) {
-		if (!strstr(conf->cipher_list, "DEFAULT@SECLEVEL=1")) {
-			WARN(LOG_PREFIX ": In order to use TLS 1.1, you likely need to set: cipher_list = \"DEFAULT@SECLEVEL=1\"");
-		}
+	/*
+	 *	Tell OpenSSL PRETTY PLEASE MAY WE USE TLS 1.1.
+	 *
+	 *	Because saying "use TLS 1.1" isn't enough.  We have to
+	 *	send it flowers and cake.
+	 */
+	if ((min_version <= TLS1_1_VERSION) &&
+	    !strstr(conf->cipher_list, "DEFAULT@SECLEVEL=1")) {
+		WARN(LOG_PREFIX ": In order to use TLS 1.0 and/or TLS 1.1, you likely need to set: cipher_list = \"DEFAULT@SECLEVEL=1\"");
 	}
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
-- 
2.47.3