From: Alan T. DeKok Date: Thu, 6 May 2021 20:41:24 +0000 (-0400) Subject: rearrange / clean up comments X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f25408ba746dc2871a589915be99d2cf1408f653;p=thirdparty%2Ffreeradius-server.git rearrange / clean up comments --- diff --git a/src/lib/tls/ctx.c b/src/lib/tls/ctx.c index 2d7071a4bdd..cbf72e0ef79 100644 --- a/src/lib/tls/ctx.c +++ b/src/lib/tls/ctx.c @@ -668,10 +668,6 @@ post_ca: goto error; } - /* - * As of 3.0.5, we always allow TLSv1.1 and TLSv1.2. - * Though they can be *globally* disabled if necessary. - */ # ifdef SSL_OP_NO_TLSv1 if (conf->tls_min_version > (float) 1.0) ctx_options |= SSL_OP_NO_TLSv1; ctx_tls_versions |= SSL_OP_NO_TLSv1; @@ -702,22 +698,22 @@ post_ca: ctx_options |= SSL_OP_NO_TICKET; #endif + /* + * SSL_OP_SINGLE_DH_USE must be used in order to prevent + * small subgroup attacks and forward secrecy. Always + * using SSL_OP_SINGLE_DH_USE has an impact on the + * computer time needed during negotiation, but it is not + * very large. + */ if (!conf->disable_single_dh_use) { - /* - * SSL_OP_SINGLE_DH_USE must be used in order to prevent - * small subgroup attacks and forward secrecy. Always - * using SSL_OP_SINGLE_DH_USE has an impact on the - * computer time needed during negotiation, but it is not - * very large. - */ ctx_options |= SSL_OP_SINGLE_DH_USE; } #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS + /* + * Note: This flag isn't honoured by all OpenSSL forks. + */ if (conf->allow_renegotiation) { - /* - * Note: This flag isn't honoured by all OpenSSL forks. - */ ctx_options |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; } #endif @@ -730,12 +726,12 @@ post_ca: */ ctx_options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; - if (conf->cipher_server_preference) { /* * SSL_OP_CIPHER_SERVER_PREFERENCE to follow best practice * of nowday's TLS: do not allow poorly-selected ciphers from * client to take preference */ + if (conf->cipher_server_preference) { ctx_options |= SSL_OP_CIPHER_SERVER_PREFERENCE; }