From 42d1ecbb4220b6260fa2da63402ec3f5cbad849a Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Fri, 3 Apr 2026 12:58:19 +0000
Subject: Ensure that we cannot negotiate TLSv1.1 or lower.

TLS versions prior to TLSv1.2 were disabled a while ago, however this
was done in the version handling code. Remove TLSv1.1 and earlier from
ssl_get_method() and add an explicit min version check in the legacy
client and server, to provide a stronger guarantee.

ok kenjiro@ tb@
---
 src/lib/libssl/ssl_methods.c | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

(limited to 'src/lib/libssl/ssl_methods.c')

diff --git a/src/lib/libssl/ssl_methods.c b/src/lib/libssl/ssl_methods.c
index dee52decf1..dd620c1008 100644
--- a/src/lib/libssl/ssl_methods.c
+++ b/src/lib/libssl/ssl_methods.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_methods.c,v 1.32 2024/07/23 14:40:54 jsing Exp $ */
+/* $OpenBSD: ssl_methods.c,v 1.33 2026/04/03 12:58:19 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -538,17 +538,11 @@ const SSL_METHOD *
 ssl_get_method(uint16_t version)
 {
 	if (version == TLS1_3_VERSION)
-		return (TLS_method());
+		return TLS_method();
 	if (version == TLS1_2_VERSION)
-		return (TLSv1_2_method());
-	if (version == TLS1_1_VERSION)
-		return (TLSv1_1_method());
-	if (version == TLS1_VERSION)
-		return (TLSv1_method());
-	if (version == DTLS1_VERSION)
-		return (DTLSv1_method());
+		return TLSv1_2_method();
 	if (version == DTLS1_2_VERSION)
-		return (DTLSv1_2_method());
+		return DTLSv1_2_method();
 
-	return (NULL);
+	return NULL;
 }
-- 
cgit v1.2.3-55-g6feb