From d620a6ea00a0589a64249e39efa19770cd61cd12 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Wed, 9 Jun 2021 15:04:06 -0400
Subject: [PATCH] if tls_max_version isn't set, default to 1.2

even if we have 1.3.  Because we should only use 1.3 if the
admin explicitly enables it
---
 src/main/tls.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/tls.c b/src/main/tls.c
index 4fdede5d969..f71c8647676 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -3787,7 +3787,7 @@ post_ca:
 		 *	time.
 		 */
 #if defined(TLS1_3_VERSION)
-		max_version = TLS1_3_VERSION;
+		max_version = TLS1_2_VERSION; /* yes, we only use TLS 1.3 if it's EXPLICITELY ENABLED */
 #elif defined(TLS1_2_VERSION)
 		max_version = TLS1_2_VERSION;
 #elif defined(TLS1_1_VERSION)
-- 
2.47.3