- Fix #1227: Fix that Unbound control allows weak ciphersuits.

git-svn-id: file:///svn/unbound/trunk@4027 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/daemon/remote.c b/daemon/remote.c
index 681c57906a53a9fa4425b0b7b8844db93e68dcb4..ac057f99deb3c1343eaafcae71f64e2f02d2cee5 100644 (file)
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -242,6 +242,24 @@ daemon_remote_create(struct config_file* cfg)
                daemon_remote_delete(rc);
                return NULL;
        }
+#if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1)
+       /* if we have tls 1.1 disable 1.0 */
+       if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
+               != SSL_OP_NO_TLSv1){
+               log_crypto_err("could not set SSL_OP_NO_TLSv1");
+               daemon_remote_delete(rc);
+               return NULL;
+       }
+#endif
+#if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
+       /* if we have tls 1.2 disable 1.1 */
+       if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
+               != SSL_OP_NO_TLSv1_1){
+               log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
+               daemon_remote_delete(rc);
+               return NULL;
+       }
+#endif
 
        if (cfg->remote_control_use_cert == 0) {
                /* No certificates are requested */

diff --git a/doc/Changelog b/doc/Changelog
index c52dcacab40a5fe7d5dfcfd9df9d6f3ebbc6f4df..1a2cee1e7e5295283d5ad9c2f4c7de467cec2300 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+27 February 2017: Wouter
+       - Fix #1227: Fix that Unbound control allows weak ciphersuits.
+
 24 February 2017: Wouter
        - include sys/time.h for new shm code on NetBSD.