diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2023-07-02 17:21:34 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2023-07-02 17:21:34 +0000 |
| commit | 4fd9808494c2101f7ad6f8d4e93f9187c9ce65da (patch) | |
| tree | 1e2b6d43586085986ffe3b8f8b36d896cfa449b9 /lib | |
| parent | 8ebb60ea0474963d819d9e9d025bf29f3b258fde (diff) | |
Disable TLS 1.0 and TLS 1.1 in libssl
Their time has long since past, and they should not be used.
This change restricts ssl to versions 1.2 and 1.3, and changes
the regression tests to understand we no longer speak the legacy
protocols.
For the moment the magical "golden" byte for byte comparison
tests of raw handshake values are disabled util jsing fixes them.
ok jsing@ tb@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libssl/s3_lib.c | 4 | ||||
| -rw-r--r-- | lib/libssl/ssl_versions.c | 12 |
2 files changed, 4 insertions, 12 deletions
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 37ca7bd113b..7561060120c 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.244 2023/05/26 13:44:05 tb Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.245 2023/07/02 17:21:32 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1672,7 +1672,7 @@ ssl3_clear(SSL *s) s->s3->in_read_app_data = 0; s->packet_length = 0; - s->version = TLS1_VERSION; + s->version = TLS1_2_VERSION; s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); } diff --git a/lib/libssl/ssl_versions.c b/lib/libssl/ssl_versions.c index fbc0004f4b4..82735460622 100644 --- a/lib/libssl/ssl_versions.c +++ b/lib/libssl/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.26 2022/11/26 16:08:56 tb Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.27 2023/07/02 17:21:32 beck Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> * @@ -150,11 +150,7 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2; } - if ((options & SSL_OP_NO_TLSv1) == 0) - min_version = TLS1_VERSION; - else if ((options & SSL_OP_NO_TLSv1_1) == 0) - min_version = TLS1_1_VERSION; - else if ((options & SSL_OP_NO_TLSv1_2) == 0) + if ((options & SSL_OP_NO_TLSv1_2) == 0) min_version = TLS1_2_VERSION; else if ((options & SSL_OP_NO_TLSv1_3) == 0) min_version = TLS1_3_VERSION; @@ -162,10 +158,6 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION) max_version = TLS1_2_VERSION; if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) - max_version = TLS1_1_VERSION; - if ((options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION) - max_version = TLS1_VERSION; - if ((options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION) max_version = 0; /* Everything has been disabled... */ |