- Fix #1303: [FR] Disable TLSv1.2.

diff --git a/doc/Changelog b/doc/Changelog
index e03bab37b7b5297e350fa54de74c788eff6b781c..fcce94e43ca2e50bb842205806e66a4bd04c77d1 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,5 +1,6 @@
 17 July 2025: Wouter
        - Fix to not set rlimits in the unit tests.
+       - Fix #1303: [FR] Disable TLSv1.2.
 
 16 July 2025: Wouter
        - Fix for RebirthDay Attack CVE-2025-5994, reported by Xiang Li

diff --git a/util/net_help.c b/util/net_help.c
index a147c511d8f3b6728c0e3ecd465b4d2bd52944b0..6ce0d9131300c4876c1b7282c6289e64de8aa563 100644 (file)
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -1259,6 +1259,14 @@ listen_sslctx_setup(void* ctxt)
                return 0;
        }
 #endif
+#if defined(SSL_OP_NO_TLSv1_2) && defined(SSL_OP_NO_TLSv1_3)
+       /* if we have tls 1.3 disable 1.2 */
+       if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2) & SSL_OP_NO_TLSv1_2)
+               != SSL_OP_NO_TLSv1_2){
+               log_crypto_err("could not set SSL_OP_NO_TLSv1_2");
+               return 0;
+       }
+#endif
 #if defined(SSL_OP_NO_RENEGOTIATION)
        /* disable client renegotiation */
        if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &