Add an option that allows the enabled SSL protocols to be explicitly

configured. Discussed with several. ok bcook@
author: jsing <> 2014-09-29 15:11:29 +0000
committer: jsing <> 2014-09-29 15:11:29 +0000
commit: 0211c1396ff6d4dc401cabef56c2af3202f043f9 (patch)
tree: 50bbaa9e38aefb427b0f0162ccd9eefee6d46b85 /src/lib/libressl/ressl.c
parent: c9beabec633f1cc45215bc550b7370c475785a2b (diff)
download: openbsd-0211c1396ff6d4dc401cabef56c2af3202f043f9.tar.gz
openbsd-0211c1396ff6d4dc401cabef56c2af3202f043f9.tar.bz2
openbsd-0211c1396ff6d4dc401cabef56c2af3202f043f9.zip
1 files changed, 18 insertions, 1 deletions
diff --git a/src/lib/libressl/ressl.c b/src/lib/libressl/ressl.c
index f01448b8f4..516afa53d6 100644
--- a/src/lib/libressl/ressl.c
+++ b/src/lib/libressl/ressl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ressl.c,v 1.14 2014/09/28 14:45:48 reyk Exp $ */
+/* $OpenBSD: ressl.c,v 1.15 2014/09/29 15:11:29 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -168,6 +168,23 @@ err:
        return (1);
 }
+int
+ressl_configure_ssl(struct ressl *ctx)
+{
+        SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
+        if ((ctx->config->protocols & RESSL_PROTOCOL_SSLv3) == 0)
+                SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
+        if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_0) == 0)
+                SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
+        if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_1) == 0)
+                SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
+        if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_2) == 0)
+                SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
+        return (0);
+}
 void
 ressl_free(struct ressl *ctx)
 {
author	jsing <>	2014-09-29 15:11:29 +0000
committer	jsing <>	2014-09-29 15:11:29 +0000
commit	0211c1396ff6d4dc401cabef56c2af3202f043f9 (patch)
tree	50bbaa9e38aefb427b0f0162ccd9eefee6d46b85 /src/lib/libressl/ressl.c
parent	c9beabec633f1cc45215bc550b7370c475785a2b (diff)
download	openbsd-0211c1396ff6d4dc401cabef56c2af3202f043f9.tar.gz openbsd-0211c1396ff6d4dc401cabef56c2af3202f043f9.tar.bz2 openbsd-0211c1396ff6d4dc401cabef56c2af3202f043f9.zip

diff --git a/src/lib/libressl/ressl.c b/src/lib/libressl/ressl.c index f01448b8f4..516afa53d6 100644 --- a/src/lib/libressl/ressl.c +++ b/src/lib/libressl/ressl.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ressl.c,v 1.14 2014/09/28 14:45:48 reyk Exp $ */	1	/* $OpenBSD: ressl.c,v 1.15 2014/09/29 15:11:29 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -168,6 +168,23 @@ err:
168	return (1);	168	return (1);
169	}	169	}
170		170
		171	int
		172	ressl_configure_ssl(struct ressl *ctx)
		173	{
		174	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
		175
		176	if ((ctx->config->protocols & RESSL_PROTOCOL_SSLv3) == 0)
		177	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
		178	if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_0) == 0)
		179	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
		180	if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_1) == 0)
		181	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
		182	if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_2) == 0)
		183	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
		184
		185	return (0);
		186	}
		187
171	void	188	void
172	ressl_free(struct ressl *ctx)	189	ressl_free(struct ressl *ctx)
173	{	190	{