diff options
| author | beck <> | 2023-07-02 17:21:33 +0000 |
|---|---|---|
| committer | beck <> | 2023-07-02 17:21:33 +0000 |
| commit | ddcb4efd6551a982bf29b2e8e83c9c808a1670dc (patch) | |
| tree | 33bb9f6c1c9fd44a8c7064445713f67f9fe0b371 /src/lib/libssl/ssl_versions.c | |
| parent | 025f3b8ef1e0ff3017dd0079925fbf85f15a6d22 (diff) | |
| download | openbsd-ddcb4efd6551a982bf29b2e8e83c9c808a1670dc.tar.gz openbsd-ddcb4efd6551a982bf29b2e8e83c9c808a1670dc.tar.bz2 openbsd-ddcb4efd6551a982bf29b2e8e83c9c808a1670dc.zip | |
Disable TLS 1.0 and TLS 1.1 in libssl
Their time has long since past, and they should not be used.
This change restricts ssl to versions 1.2 and 1.3, and changes
the regression tests to understand we no longer speak the legacy
protocols.
For the moment the magical "golden" byte for byte comparison
tests of raw handshake values are disabled util jsing fixes them.
ok jsing@ tb@
Diffstat (limited to 'src/lib/libssl/ssl_versions.c')
| -rw-r--r-- | src/lib/libssl/ssl_versions.c | 12 |
1 files changed, 2 insertions, 10 deletions
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c index fbc0004f4b..8273546062 100644 --- a/src/lib/libssl/ssl_versions.c +++ b/src/lib/libssl/ssl_versions.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_versions.c,v 1.26 2022/11/26 16:08:56 tb Exp $ */ | 1 | /* $OpenBSD: ssl_versions.c,v 1.27 2023/07/02 17:21:32 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -150,11 +150,7 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) | |||
| 150 | options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2; | 150 | options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2; |
| 151 | } | 151 | } |
| 152 | 152 | ||
| 153 | if ((options & SSL_OP_NO_TLSv1) == 0) | 153 | if ((options & SSL_OP_NO_TLSv1_2) == 0) |
| 154 | min_version = TLS1_VERSION; | ||
| 155 | else if ((options & SSL_OP_NO_TLSv1_1) == 0) | ||
| 156 | min_version = TLS1_1_VERSION; | ||
| 157 | else if ((options & SSL_OP_NO_TLSv1_2) == 0) | ||
| 158 | min_version = TLS1_2_VERSION; | 154 | min_version = TLS1_2_VERSION; |
| 159 | else if ((options & SSL_OP_NO_TLSv1_3) == 0) | 155 | else if ((options & SSL_OP_NO_TLSv1_3) == 0) |
| 160 | min_version = TLS1_3_VERSION; | 156 | min_version = TLS1_3_VERSION; |
| @@ -162,10 +158,6 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) | |||
| 162 | if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION) | 158 | if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION) |
| 163 | max_version = TLS1_2_VERSION; | 159 | max_version = TLS1_2_VERSION; |
| 164 | if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) | 160 | if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) |
| 165 | max_version = TLS1_1_VERSION; | ||
| 166 | if ((options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION) | ||
| 167 | max_version = TLS1_VERSION; | ||
| 168 | if ((options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION) | ||
| 169 | max_version = 0; | 161 | max_version = 0; |
| 170 | 162 | ||
| 171 | /* Everything has been disabled... */ | 163 | /* Everything has been disabled... */ |