5 files changed, 16 insertions, 6 deletions

diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h
index 0a6f8d72584..0fafcc6e23f 100644
--- a/lib/libtls/tls.h
+++ b/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.7 2015/02/11 07:01:10 jsing Exp $ */
+/* $OpenBSD: tls.h,v 1.8 2015/02/12 04:23:17 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -25,7 +25,9 @@
 #define TLS_PROTOCOL_TLSv1_2	(1 << 3)
 #define TLS_PROTOCOL_TLSv1 \
 	(TLS_PROTOCOL_TLSv1_0|TLS_PROTOCOL_TLSv1_1|TLS_PROTOCOL_TLSv1_2)
-#define TLS_PROTOCOLS_DEFAULT TLS_PROTOCOL_TLSv1
+
+#define TLS_PROTOCOLS_ALL TLS_PROTOCOL_TLSv1
+#define TLS_PROTOCOLS_DEFAULT TLS_PROTOCOL_TLSv1_2
 
 #define TLS_READ_AGAIN	-2
 #define TLS_WRITE_AGAIN	-3
diff --git a/libexec/spamd/spamd.c b/libexec/spamd/spamd.c
index 52a25e03417..1b0e185808a 100644
--- a/libexec/spamd/spamd.c
+++ b/libexec/spamd/spamd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: spamd.c,v 1.123 2015/02/07 10:45:19 henning Exp $	*/
+/*	$OpenBSD: spamd.c,v 1.124 2015/02/12 04:23:17 jsing Exp $	*/
 
 /*
  * Copyright (c) 2015 Henning Brauer <henning@openbsd.org>
@@ -442,6 +442,8 @@ spamd_tls_init(char *keyfile, char *certfile)
 		errx(1, "failed to get tls server");
 	/* might need user-specified ciphers, tls_config_set_ciphers */
 
+	tls_config_set_protocols(tlscfg, TLS_PROTOCOLS_ALL);
+
 	if (tls_config_set_cert_file(tlscfg, certfile) != 0)
 		err(1, "could not load certificate %s", certfile);
 	if (tls_config_set_key_file(tlscfg, keyfile) != 0)
diff --git a/usr.bin/ftp/main.c b/usr.bin/ftp/main.c
index 5e2595d4dbf..ae333c0479f 100644
--- a/usr.bin/ftp/main.c
+++ b/usr.bin/ftp/main.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.97 2015/02/09 08:24:21 tedu Exp $	*/
+/*	$OpenBSD: main.c,v 1.98 2015/02/12 04:23:17 jsing Exp $	*/
 /*	$NetBSD: main.c,v 1.24 1997/08/18 10:20:26 lukem Exp $	*/
 
 /*
@@ -312,6 +312,8 @@ main(volatile int argc, char *argv[])
 				tls_config = tls_config_new();
 				if (tls_config == NULL)
 					errx(1, "tls config failed");
+				tls_config_set_protocols(tls_config,
+				    TLS_PROTOCOLS_ALL);
 			}
 
 			cp = optarg;
diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c
index 6e63120b95f..504195b47c8 100644
--- a/usr.sbin/httpd/server.c
+++ b/usr.sbin/httpd/server.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: server.c,v 1.57 2015/02/07 23:56:02 reyk Exp $	*/
+/*	$OpenBSD: server.c,v 1.58 2015/02/12 04:23:17 jsing Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -175,6 +175,8 @@ server_tls_init(struct server *srv)
 		return (-1);
 	}
 
+	tls_config_set_protocols(srv->srv_tls_config, TLS_PROTOCOLS_ALL);
+
 	if (tls_config_set_ciphers(srv->srv_tls_config,
 	    srv->srv_conf.tls_ciphers) != 0) {
 		log_warn("%s: failed to set tls ciphers", __func__);
diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c
index abf67e89e14..591fe2beb8e 100644
--- a/usr.sbin/syslogd/syslogd.c
+++ b/usr.sbin/syslogd/syslogd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: syslogd.c,v 1.153 2015/02/10 18:30:20 bluhm Exp $	*/
+/*	$OpenBSD: syslogd.c,v 1.154 2015/02/12 04:23:17 jsing Exp $	*/
 
 /*
  * Copyright (c) 1983, 1988, 1993, 1994
@@ -526,6 +526,8 @@ main(int argc, char *argv[])
 	} else {
 		struct stat sb;
 
+		tls_config_set_protocols(tlsconfig, TLS_PROTOCOLS_ALL);
+
 		fd = -1;
 		p = NULL;
 		errno = 0;