From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 17 Jul 2025 12:50:13 +0000 (+0200)
Subject: - Fix #1303: [FR] Disable TLSv1.2.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b6e52c0a52178fdc21db775db10674ba0afb6b6b;p=thirdparty%2Funbound.git

- Fix #1303: [FR] Disable TLSv1.2.
---

diff --git a/doc/Changelog b/doc/Changelog
index e03bab37b..fcce94e43 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,5 +1,6 @@
 17 July 2025: Wouter
 	- Fix to not set rlimits in the unit tests.
+	- Fix #1303: [FR] Disable TLSv1.2.
 
 16 July 2025: Wouter
 	- Fix for RebirthDay Attack CVE-2025-5994, reported by Xiang Li
diff --git a/util/net_help.c b/util/net_help.c
index a147c511d..6ce0d9131 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -1259,6 +1259,14 @@ listen_sslctx_setup(void* ctxt)
 		return 0;
 	}
 #endif
+#if defined(SSL_OP_NO_TLSv1_2) && defined(SSL_OP_NO_TLSv1_3)
+	/* if we have tls 1.3 disable 1.2 */
+	if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2) & SSL_OP_NO_TLSv1_2)
+		!= SSL_OP_NO_TLSv1_2){
+		log_crypto_err("could not set SSL_OP_NO_TLSv1_2");
+		return 0;
+	}
+#endif
 #if defined(SSL_OP_NO_RENEGOTIATION)
 	/* disable client renegotiation */
 	if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &