TLS: set some common options both for client and server contexts

This commit makes the TLS context manipulation code set some of the
common protocol versions regardless of the OpenSSL version in use.

diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index ad0cb74168bdfb3e7a79188adc4da79e6502cd74..1f9d7f9319518ae2340700ba361f6110a902fe2f 100644 (file)
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -33,6 +33,9 @@
 #include "openssl_shim.h"
 #include "tls_p.h"
 
+#define COMMON_SSL_OPTIONS \
+       (SSL_OP_NO_COMPRESSION | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
+
 static isc_once_t init_once = ISC_ONCE_INIT;
 static isc_once_t shut_once = ISC_ONCE_INIT;
 static atomic_bool init_done = ATOMIC_VAR_INIT(false);
@@ -185,13 +188,13 @@ isc_tlsctx_createclient(isc_tlsctx_t **ctxp) {
                goto ssl_error;
        }
 
+       SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS);
+
 #if HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
        SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
 #else
-       SSL_CTX_set_options(
-               ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
-                            SSL_OP_NO_TLSv1_1 | SSL_OP_NO_COMPRESSION |
-                            SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+       SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
+                                        SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
 #endif
 
        *ctxp = ctx;
@@ -235,6 +238,8 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
        }
        RUNTIME_CHECK(ctx != NULL);
 
+       SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS);
+
 #if HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
        SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
 #else