From ddcb4efd6551a982bf29b2e8e83c9c808a1670dc Mon Sep 17 00:00:00 2001 From: beck <> Date: Sun, 2 Jul 2023 17:21:33 +0000 Subject: Disable TLS 1.0 and TLS 1.1 in libssl Their time has long since past, and they should not be used. This change restricts ssl to versions 1.2 and 1.3, and changes the regression tests to understand we no longer speak the legacy protocols. For the moment the magical "golden" byte for byte comparison tests of raw handshake values are disabled util jsing fixes them. ok jsing@ tb@ --- src/lib/libssl/s3_lib.c | 4 ++-- src/lib/libssl/ssl_versions.c | 12 ++---------- 2 files changed, 4 insertions(+), 12 deletions(-) (limited to 'src/lib/libssl') diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 37ca7bd113..7561060120 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.244 2023/05/26 13:44:05 tb Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.245 2023/07/02 17:21:32 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1672,7 +1672,7 @@ ssl3_clear(SSL *s) s->s3->in_read_app_data = 0; s->packet_length = 0; - s->version = TLS1_VERSION; + s->version = TLS1_2_VERSION; s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); } diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c index fbc0004f4b..8273546062 100644 --- a/src/lib/libssl/ssl_versions.c +++ b/src/lib/libssl/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.26 2022/11/26 16:08:56 tb Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.27 2023/07/02 17:21:32 beck Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -150,11 +150,7 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2; } - if ((options & SSL_OP_NO_TLSv1) == 0) - min_version = TLS1_VERSION; - else if ((options & SSL_OP_NO_TLSv1_1) == 0) - min_version = TLS1_1_VERSION; - else if ((options & SSL_OP_NO_TLSv1_2) == 0) + if ((options & SSL_OP_NO_TLSv1_2) == 0) min_version = TLS1_2_VERSION; else if ((options & SSL_OP_NO_TLSv1_3) == 0) min_version = TLS1_3_VERSION; @@ -162,10 +158,6 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION) max_version = TLS1_2_VERSION; if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) - max_version = TLS1_1_VERSION; - if ((options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION) - max_version = TLS1_VERSION; - if ((options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION) max_version = 0; /* Everything has been disabled... */ -- cgit v1.2.3-55-g6feb