aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-11-15 10:35:10 (GMT)
committerJouni Malinen <j@w1.fi>2014-11-15 10:35:10 (GMT)
commit35efa2479ff19c3f13e69dc50d2708ce79a99beb (patch)
treee1100c8b1d54e4e46f35545690efc35c318bcc5d
parent281ff42a01b6648a56f70f3a805a3f0bd478d26f (diff)
downloadhostap-35efa2479ff19c3f13e69dc50d2708ce79a99beb.zip
hostap-35efa2479ff19c3f13e69dc50d2708ce79a99beb.tar.gz
hostap-35efa2479ff19c3f13e69dc50d2708ce79a99beb.tar.bz2
OpenSSL: Allow TLS v1.1 and v1.2 to be negotiated by default
Use SSLv23_method() to enable TLS version negotiation for any version equal to or newer than 1.0. If the old behavior is needed as a workaround for some broken authentication servers, it can be configured with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1". Signed-off-by: Jouni Malinen <j@w1.fi>
-rw-r--r--src/crypto/tls_openssl.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index c9e5611..a238982 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -810,7 +810,7 @@ void * tls_init(const struct tls_config *conf)
}
tls_openssl_ref_count++;
- ssl = SSL_CTX_new(TLSv1_method());
+ ssl = SSL_CTX_new(SSLv23_method());
if (ssl == NULL) {
tls_openssl_ref_count--;
#ifdef OPENSSL_SUPPORTS_CTX_APP_DATA
@@ -824,6 +824,9 @@ void * tls_init(const struct tls_config *conf)
return NULL;
}
+ SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
+ SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
+
SSL_CTX_set_info_callback(ssl, ssl_info_cb);
#ifdef OPENSSL_SUPPORTS_CTX_APP_DATA
SSL_CTX_set_app_data(ssl, context);