From: Alan T. DeKok <aland@freeradius.org>
Date: Wed, 9 Jun 2021 19:04:06 +0000 (-0400)
Subject: if tls_max_version isn't set, default to 1.2
X-Git-Tag: release_3_0_23~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d620a6ea00a0589a64249e39efa19770cd61cd12;p=thirdparty%2Ffreeradius-server.git

if tls_max_version isn't set, default to 1.2

even if we have 1.3.  Because we should only use 1.3 if the
admin explicitly enables it
---

diff --git a/src/main/tls.c b/src/main/tls.c
index 4fdede5d969..f71c8647676 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -3787,7 +3787,7 @@ post_ca:
 		 *	time.
 		 */
 #if defined(TLS1_3_VERSION)
-		max_version = TLS1_3_VERSION;
+		max_version = TLS1_2_VERSION; /* yes, we only use TLS 1.3 if it's EXPLICITELY ENABLED */
 #elif defined(TLS1_2_VERSION)
 		max_version = TLS1_2_VERSION;
 #elif defined(TLS1_1_VERSION)