OpenSSL: Add option to disable use of TLSv1.0
The new phase1 config parameter value tls_disable_tlsv1_0=1 can now be used to disable use of TLSv1.0 for a network configuration. This can be used to force a newer TLS version to be used. For example, phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1" would indicate that only TLS v1.2 is accepted. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
2456264fad
commit
5650d379a3
4 changed files with 12 additions and 0 deletions
|
@ -93,6 +93,7 @@ struct tls_config {
|
||||||
#define TLS_CONN_DISABLE_TLSv1_1 BIT(5)
|
#define TLS_CONN_DISABLE_TLSv1_1 BIT(5)
|
||||||
#define TLS_CONN_DISABLE_TLSv1_2 BIT(6)
|
#define TLS_CONN_DISABLE_TLSv1_2 BIT(6)
|
||||||
#define TLS_CONN_EAP_FAST BIT(7)
|
#define TLS_CONN_EAP_FAST BIT(7)
|
||||||
|
#define TLS_CONN_DISABLE_TLSv1_0 BIT(8)
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* struct tls_connection_params - Parameters for TLS connection
|
* struct tls_connection_params - Parameters for TLS connection
|
||||||
|
|
|
@ -3544,6 +3544,12 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
|
||||||
#endif /* SSL_clear_options */
|
#endif /* SSL_clear_options */
|
||||||
#endif /* SSL_OP_NO_TICKET */
|
#endif /* SSL_OP_NO_TICKET */
|
||||||
|
|
||||||
|
#ifdef SSL_OP_NO_TLSv1
|
||||||
|
if (params->flags & TLS_CONN_DISABLE_TLSv1_0)
|
||||||
|
SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1);
|
||||||
|
else
|
||||||
|
SSL_clear_options(conn->ssl, SSL_OP_NO_TLSv1);
|
||||||
|
#endif /* SSL_OP_NO_TLSv1 */
|
||||||
#ifdef SSL_OP_NO_TLSv1_1
|
#ifdef SSL_OP_NO_TLSv1_1
|
||||||
if (params->flags & TLS_CONN_DISABLE_TLSv1_1)
|
if (params->flags & TLS_CONN_DISABLE_TLSv1_1)
|
||||||
SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_1);
|
SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_1);
|
||||||
|
|
|
@ -68,6 +68,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
|
||||||
params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
|
params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
|
||||||
if (os_strstr(txt, "tls_disable_session_ticket=0"))
|
if (os_strstr(txt, "tls_disable_session_ticket=0"))
|
||||||
params->flags &= ~TLS_CONN_DISABLE_SESSION_TICKET;
|
params->flags &= ~TLS_CONN_DISABLE_SESSION_TICKET;
|
||||||
|
if (os_strstr(txt, "tls_disable_tlsv1_0=1"))
|
||||||
|
params->flags |= TLS_CONN_DISABLE_TLSv1_0;
|
||||||
|
if (os_strstr(txt, "tls_disable_tlsv1_0=0"))
|
||||||
|
params->flags &= ~TLS_CONN_DISABLE_TLSv1_0;
|
||||||
if (os_strstr(txt, "tls_disable_tlsv1_1=1"))
|
if (os_strstr(txt, "tls_disable_tlsv1_1=1"))
|
||||||
params->flags |= TLS_CONN_DISABLE_TLSv1_1;
|
params->flags |= TLS_CONN_DISABLE_TLSv1_1;
|
||||||
if (os_strstr(txt, "tls_disable_tlsv1_1=0"))
|
if (os_strstr(txt, "tls_disable_tlsv1_1=0"))
|
||||||
|
|
|
@ -986,6 +986,7 @@ fast_reauth=1
|
||||||
# EAP workarounds are disabled with eap_workaround=0.
|
# EAP workarounds are disabled with eap_workaround=0.
|
||||||
# For EAP-FAST, this must be set to 0 (or left unconfigured for the
|
# For EAP-FAST, this must be set to 0 (or left unconfigured for the
|
||||||
# default value to be used automatically).
|
# default value to be used automatically).
|
||||||
|
# tls_disable_tlsv1_0=1 - disable use of TLSv1.0
|
||||||
# tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers
|
# tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers
|
||||||
# that have issues interoperating with updated TLS version)
|
# that have issues interoperating with updated TLS version)
|
||||||
# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers
|
# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers
|
||||||
|
|
Loading…
Reference in a new issue