From 0211c1396ff6d4dc401cabef56c2af3202f043f9 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Mon, 29 Sep 2014 15:11:29 +0000
Subject: Add an option that allows the enabled SSL protocols to be explicitly
 configured.

Discussed with several.

ok bcook@
---
 src/lib/libressl/ressl.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

(limited to 'src/lib/libressl/ressl.c')

diff --git a/src/lib/libressl/ressl.c b/src/lib/libressl/ressl.c
index f01448b8f4..516afa53d6 100644
--- a/src/lib/libressl/ressl.c
+++ b/src/lib/libressl/ressl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ressl.c,v 1.14 2014/09/28 14:45:48 reyk Exp $ */
+/* $OpenBSD: ressl.c,v 1.15 2014/09/29 15:11:29 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -168,6 +168,23 @@ err:
 	return (1);
 }
 
+int
+ressl_configure_ssl(struct ressl *ctx)
+{
+	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
+
+	if ((ctx->config->protocols & RESSL_PROTOCOL_SSLv3) == 0)
+		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
+	if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_0) == 0)
+		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
+	if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_1) == 0)
+		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
+	if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_2) == 0)
+		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
+
+	return (0);
+}
+
 void
 ressl_free(struct ressl *ctx)
 {
-- 
cgit v1.2.3-55-g6feb