libtls: Increase default min version to 1.2

author Tobias Brunner <tobias@strongswan.org>

Wed, 27 Jan 2021 13:40:22 +0000 (14:40 +0100)

committer Tobias Brunner <tobias@strongswan.org>

Fri, 12 Feb 2021 13:35:23 +0000 (14:35 +0100)
author Tobias Brunner <tobias@strongswan.org>
Wed, 27 Jan 2021 13:40:22 +0000 (14:40 +0100)
committer Tobias Brunner <tobias@strongswan.org>
Fri, 12 Feb 2021 13:35:23 +0000 (14:35 +0100)
diff --git a/conf/options/charon.opt b/conf/options/charon.opt

index dd972649badf6bbe966b6259adb3b50433fd8ba0..868ee1d056e65c2037a09507ef6100ae05f779fc 100644 (file)
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -479,7 +479,7 @@ charon.tls.send_certreq_authorities = yes
         Whether to include CAs in a server's CertificateRequest message. May be
         disabled if clients can't handle a long list of CAs.
  
-charon.tls.version_min = 1.0
+charon.tls.version_min = 1.2
         Minimum TLS version to negotiate.
  
  charon.tls.version_max = 1.2
diff --git a/src/libtls/tls.c b/src/libtls/tls.c

index da45f4b99db60e317477cd01aea40f7778749629..ae14213a03949b1162c098333952d6e2cf1e6bc3 100644 (file)
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -463,8 +463,8 @@ static void determine_versions(private_tls_t *this)
         char *version_str;
  
         if (this->version_min == TLS_UNSPEC)
-       {
-               this->version_min = TLS_SUPPORTED_MIN;
+       {       /* default to TLS 1.2 as older versions are considered deprecated */
+               this->version_min = TLS_1_2;
  
                 version_str = lib->settings->get_str(lib->settings, "%s.tls.version_min",
                                                                                          NULL, lib->ns);
author	Tobias Brunner <tobias@strongswan.org>
	Wed, 27 Jan 2021 13:40:22 +0000 (14:40 +0100)
committer	Tobias Brunner <tobias@strongswan.org>
	Fri, 12 Feb 2021 13:35:23 +0000 (14:35 +0100)
conf/options/charon.opt		patch \| blob \| blame \| history
src/libtls/tls.c		patch \| blob \| blame \| history