Correct handling of SSL_OP_NO_DTLSv1.

When converting to TLS flags, we need to also include SSL_OP_NO_TLSv1, otherwise the TLS equivalent of SSL_OP_NO_DTLSv1 is TLSv1.0 only, which does not work so well when we try to switch back to DTLS versions.
author: jsing <> 2021-06-27 16:54:14 +0000
committer: jsing <> 2021-06-27 16:54:14 +0000
commit: 4404df9dd9e200b2608ac9cfdfa13dcba0eedb73 (patch)
tree: 8744e82b4d46481f9e4d39e2935aaa9b9de38ec9 /src/lib/libssl/ssl_versions.c
parent: 49fa77afbf4fc839cae5e7fd48d077d8551da2b3 (diff)
download: openbsd-4404df9dd9e200b2608ac9cfdfa13dcba0eedb73.tar.gz
openbsd-4404df9dd9e200b2608ac9cfdfa13dcba0eedb73.tar.bz2
openbsd-4404df9dd9e200b2608ac9cfdfa13dcba0eedb73.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
index 0d8487d577..68e69ebca3 100644
--- a/src/lib/libssl/ssl_versions.c
+++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.18 2021/03/19 19:52:55 tb Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.19 2021/06/27 16:54:14 jsing Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 *
@@ -145,9 +145,9 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
        if (SSL_is_dtls(s)) {
                options = 0;
                if (s->internal->options & SSL_OP_NO_DTLSv1)
-                        options |= SSL_OP_NO_TLSv1_1;
+                        options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
                if (s->internal->options & SSL_OP_NO_DTLSv1_2)
-                        options |= SSL_OP_NO_TLSv1_2;
+                        options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2;
        }
        if ((options & SSL_OP_NO_TLSv1) == 0)
author	jsing <>	2021-06-27 16:54:14 +0000
committer	jsing <>	2021-06-27 16:54:14 +0000
commit	4404df9dd9e200b2608ac9cfdfa13dcba0eedb73 (patch)
tree	8744e82b4d46481f9e4d39e2935aaa9b9de38ec9 /src/lib/libssl/ssl_versions.c
parent	49fa77afbf4fc839cae5e7fd48d077d8551da2b3 (diff)
download	openbsd-4404df9dd9e200b2608ac9cfdfa13dcba0eedb73.tar.gz openbsd-4404df9dd9e200b2608ac9cfdfa13dcba0eedb73.tar.bz2 openbsd-4404df9dd9e200b2608ac9cfdfa13dcba0eedb73.zip

diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c index 0d8487d577..68e69ebca3 100644 --- a/src/lib/libssl/ssl_versions.c +++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_versions.c,v 1.18 2021/03/19 19:52:55 tb Exp $ */	1	/* $OpenBSD: ssl_versions.c,v 1.19 2021/06/27 16:54:14 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -145,9 +145,9 @@ ssl_enabled_tls_version_range(SSL s, uint16_t min_ver, uint16_t *max_ver)
145	if (SSL_is_dtls(s)) {	145	if (SSL_is_dtls(s)) {
146	options = 0;	146	options = 0;
147	if (s->internal->options & SSL_OP_NO_DTLSv1)	147	if (s->internal->options & SSL_OP_NO_DTLSv1)
148	options \|= SSL_OP_NO_TLSv1_1;	148	options \|= SSL_OP_NO_TLSv1 \| SSL_OP_NO_TLSv1_1;
149	if (s->internal->options & SSL_OP_NO_DTLSv1_2)	149	if (s->internal->options & SSL_OP_NO_DTLSv1_2)
150	options \|= SSL_OP_NO_TLSv1_2;	150	options \|= SSL_OP_NO_TLSv1 \| SSL_OP_NO_TLSv1_2;
151	}	151	}
152		152
153	if ((options & SSL_OP_NO_TLSv1) == 0)	153	if ((options & SSL_OP_NO_TLSv1) == 0)