libtls: fix legacy protocol parsing

Redefining TLS_PROTOCOL_TLSv1_0 and TLS_PROTOCOL_TLSv1_1 to be the same
as TLS_PROTOCOL_TLSv1_2 had undesired side effects, as witnessed in the
accompanying regress tests. The protocol string all:tlsv1.0 would disable
TLSv1.2 (so only enable TLSv1.3) and tlsv1.2:!tlsv1.1 would disable all
protocols.

It makes more sense to ignore any setting of TLSv1.0 and TLSv1.1, so if
you request 'tlsv1.1' you get no protocol, but 'all:!tlsv1.1' will enable
the two supported protocols TLSv1.3 and TLSv1.2.

Restore the defines to their original values and adjust the parsing code
to set/unset them.

Issue reported by Kenjiro Nakayama
Fixes https://github.com/libressl/openbsd/issues/151

with/ok jsing

1 files changed, 3 insertions, 3 deletions

diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 10dc5003cb..22fa8455a1 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.70 2024/03/28 06:55:02 joshua Exp $ */
+/* $OpenBSD: tls_config.c,v 1.71 2024/08/02 15:00:01 tb Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -261,9 +261,9 @@ tls_config_parse_protocols(uint32_t *protocols, const char *protostr)
                 if (strcasecmp(p, "tlsv1") == 0)
                         proto = TLS_PROTOCOL_TLSv1;
                 else if (strcasecmp(p, "tlsv1.0") == 0)
-                        proto = TLS_PROTOCOL_TLSv1_2;
+                        proto = TLS_PROTOCOL_TLSv1_0;
                 else if (strcasecmp(p, "tlsv1.1") == 0)
-                        proto = TLS_PROTOCOL_TLSv1_2;
+                        proto = TLS_PROTOCOL_TLSv1_1;
                 else if (strcasecmp(p, "tlsv1.2") == 0)
                         proto = TLS_PROTOCOL_TLSv1_2;
                 else if (strcasecmp(p, "tlsv1.3") == 0)