Remove the ability to do tls 1.0 and 1.1 from libtls.

With this change any requests from configurations to request
versions of tls before tls 1.2 will use tls 1.2. This prepares
us to deprecate tls 1.0 and tls 1.1 support from libssl.

ok tb@

1 files changed, 3 insertions, 7 deletions

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 8444169bdc..fdb994d733 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.97 2023/06/18 11:43:03 op Exp $ */
+/* $OpenBSD: tls.c,v 1.98 2023/07/02 06:37:27 beck Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -520,16 +520,12 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
 
         SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
         SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
+        SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
+        SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
 
-        SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1);
-        SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
         SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
         SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_3);
 
-        if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
-                SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
-        if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
-                SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
         if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
                 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
         if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_3) == 0)