Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MDEV-22221: wolfssl tls13 #1501

Closed
wants to merge 5 commits into from
Closed

MDEV-22221: wolfssl tls13 #1501

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f32b135
MDEV-22221: enable tlsv1.3 and AES-GCM ciphers on wolfssl
grooverdan Apr 12, 2020
b11d6be
MDEV-22221: enable ssl on all client utilities
grooverdan Apr 12, 2020
ebce05f
MDEV-22221: mysqltest to support TLS-VERSION
grooverdan Apr 13, 2020
40379af
MDEV-22221: main.ssl_ciphers valid for TLS!=v1.3
grooverdan Apr 13, 2020
4ae7c96
MDEV-22221: main.ssl_8k_key test, cipher valid for TLS!=v1.3
grooverdan Apr 13, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 3 additions & 3 deletions client/mysql.cc
View file
Open in desktop
Expand Up @@ -1357,7 +1357,7 @@ static bool do_connect(MYSQL *mysql, const char *host, const char *user,
{
if (opt_secure_auth)
mysql_options(mysql, MYSQL_SECURE_AUTH, (char *) &opt_secure_auth);
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
#if !defined(EMBEDDED_LIBRARY)
if (opt_use_ssl)
{
mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
Expand Down Expand Up @@ -4809,12 +4809,12 @@ com_status(String *buffer __attribute__((unused)),
mysql_free_result(result);
}

#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
#if !defined(EMBEDDED_LIBRARY)
if ((status_str= mysql_get_ssl_cipher(&mysql)))
tee_fprintf(stdout, "SSL:\t\t\tCipher in use is %s\n",
status_str);
else
#endif /* HAVE_OPENSSL && !EMBEDDED_LIBRARY */
#endif /* !EMBEDDED_LIBRARY */
tee_puts("SSL:\t\t\tNot in use", stdout);

if (skip_updates)
Expand Down
2 changes: 0 additions & 2 deletions client/mysqladmin.cc
View file
Open in desktop
Expand Up @@ -354,7 +354,6 @@ int main(int argc,char *argv[])
uint tmp=opt_connect_timeout;
mysql_options(&mysql,MYSQL_OPT_CONNECT_TIMEOUT, (char*) &tmp);
}
#ifdef HAVE_OPENSSL
if (opt_use_ssl)
{
mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
Expand All @@ -365,7 +364,6 @@ int main(int argc,char *argv[])
}
mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
#endif
if (opt_protocol)
mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
if (!strcmp(default_charset,MYSQL_AUTODETECT_CHARSET_NAME))
Expand Down
2 changes: 0 additions & 2 deletions client/mysqlbinlog.cc
View file
Open in desktop
Expand Up @@ -2122,7 +2122,6 @@ static Exit_status safe_connect()
return ERROR_STOP;
}

#ifdef HAVE_OPENSSL
if (opt_use_ssl)
{
mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
Expand All @@ -2133,7 +2132,6 @@ static Exit_status safe_connect()
}
mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
#endif /*HAVE_OPENSSL*/

if (opt_plugindir && *opt_plugindir)
mysql_options(mysql, MYSQL_PLUGIN_DIR, opt_plugindir);
Expand Down
2 changes: 0 additions & 2 deletions client/mysqlcheck.c
View file
Open in desktop
Expand Up @@ -1099,15 +1099,13 @@ static int dbConnect(char *host, char *user, char *passwd)
mysql_init(&mysql_connection);
if (opt_compress)
mysql_options(&mysql_connection, MYSQL_OPT_COMPRESS, NullS);
#ifdef HAVE_OPENSSL
if (opt_use_ssl)
{
mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher);
mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
}
#endif
if (opt_protocol)
mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);

Expand Down
2 changes: 0 additions & 2 deletions client/mysqldump.c
View file
Open in desktop
Expand Up @@ -1706,7 +1706,6 @@ static int connect_to_db(char *host, char *user,char *passwd)
mysql_init(&mysql_connection);
if (opt_compress)
mysql_options(&mysql_connection,MYSQL_OPT_COMPRESS,NullS);
#ifdef HAVE_OPENSSL
if (opt_use_ssl)
{
mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
Expand All @@ -1717,7 +1716,6 @@ static int connect_to_db(char *host, char *user,char *passwd)
}
mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
#endif
if (opt_protocol)
mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
mysql_options(&mysql_connection, MYSQL_SET_CHARSET_NAME, default_charset);
Expand Down
2 changes: 0 additions & 2 deletions client/mysqlimport.c
View file
Open in desktop
Expand Up @@ -444,7 +444,6 @@ static MYSQL *db_connect(char *host, char *database,
if (opt_local_file)
mysql_options(mysql,MYSQL_OPT_LOCAL_INFILE,
(char*) &opt_local_file);
#ifdef HAVE_OPENSSL
if (opt_use_ssl)
{
mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
Expand All @@ -455,7 +454,6 @@ static MYSQL *db_connect(char *host, char *database,
}
mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
#endif
if (opt_protocol)
mysql_options(mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);

Expand Down
2 changes: 0 additions & 2 deletions client/mysqlshow.c
View file
Open in desktop
Expand Up @@ -116,7 +116,6 @@ int main(int argc, char **argv)
mysql_init(&mysql);
if (opt_compress)
mysql_options(&mysql,MYSQL_OPT_COMPRESS,NullS);
#ifdef HAVE_OPENSSL
if (opt_use_ssl)
{
mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
Expand All @@ -127,7 +126,6 @@ int main(int argc, char **argv)
}
mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
#endif
if (opt_protocol)
mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);

Expand Down
3 changes: 1 addition & 2 deletions client/mysqlslap.c
View file
Open in desktop
Expand Up @@ -296,15 +296,14 @@ void set_mysql_connect_options(MYSQL *mysql)
{
if (opt_compress)
mysql_options(mysql,MYSQL_OPT_COMPRESS,NullS);
#ifdef HAVE_OPENSSL
if (opt_use_ssl)
{
mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher);
mysql_options(mysql, MARIADB_OPT_TLS_VERSION, opt_tls_version);
mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
}
#endif
if (opt_protocol)
mysql_options(mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
mysql_options(mysql, MYSQL_SET_CHARSET_NAME, default_charset);
Expand Down
23 changes: 19 additions & 4 deletions client/mysqltest.cc
View file
Open in desktop
Expand Up @@ -5898,6 +5898,7 @@ void do_connect(struct st_command *command)
int con_port= opt_port;
char *con_options;
char *ssl_cipher __attribute__((unused))= 0;
char *tls_version __attribute__((unused))= 0;
my_bool con_ssl= 0, con_compress= 0;
my_bool con_pipe= 0;
int read_timeout= 0;
Expand Down Expand Up @@ -5986,6 +5987,19 @@ void do_connect(struct st_command *command)
{
con_ssl= 1;
ssl_cipher=con_options + 11;
if (*end)
{
*end++= '\0';
}
}
else if (!strncmp(con_options, "TLS-VERSION=", 12))
{
con_ssl= 1;
tls_version=con_options + 12;
if (*end)
{
*end++= '\0';
}
}
else if (length == 8 && !strncmp(con_options, "COMPRESS", 8))
con_compress= 1;
Expand Down Expand Up @@ -6051,19 +6065,20 @@ void do_connect(struct st_command *command)
if (opt_charsets_dir)
mysql_options(con_slot->mysql, MYSQL_SET_CHARSET_DIR,
opt_charsets_dir);
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
#if !defined(EMBEDDED_LIBRARY)
if (opt_use_ssl)
con_ssl= 1;
#endif

if (con_ssl)
{
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
#if !defined(EMBEDDED_LIBRARY)
mysql_ssl_set(con_slot->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, ssl_cipher ? ssl_cipher : opt_ssl_cipher);
mysql_options(con_slot->mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(con_slot->mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
mysql_options(con_slot->mysql, MARIADB_OPT_TLS_VERSION, opt_tls_version);
mysql_options(con_slot->mysql, MARIADB_OPT_TLS_VERSION,
tls_version ? tls_version : opt_tls_version);
#if MYSQL_VERSION_ID >= 50000
/* Turn on ssl_verify_server_cert only if host is "localhost" */
opt_ssl_verify_server_cert= !strcmp(ds_host.str, "localhost");
Expand Down Expand Up @@ -9291,7 +9306,7 @@ int main(int argc, char **argv)
if (opt_plugin_dir && *opt_plugin_dir)
mysql_options(con->mysql, MYSQL_PLUGIN_DIR, opt_plugin_dir);

#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
#if !defined(EMBEDDED_LIBRARY)

if (opt_use_ssl)
{
Expand Down
5 changes: 2 additions & 3 deletions extra/wolfssl/CMakeLists.txt
View file
Open in desktop
Expand Up @@ -36,6 +36,7 @@ SET(WOLFSSL_SOURCES
${WOLFSSL_SRCDIR}/tls.c
${WOLFSSL_SRCDIR}/wolfio.c
${WOLFSSL_SRCDIR}/ocsp.c
${WOLFSSL_SRCDIR}/tls13.c
${WOLFSSL_SRCDIR}/ssl.c)
ADD_DEFINITIONS(-DWOLFSSL_LIB -DBUILDING_WOLFSSL)

Expand Down Expand Up @@ -99,9 +100,6 @@ ENDIF()
IF(WOLFSSL_FASTMATH)
SET(USE_FAST_MATH 1)
SET(TFM_TIMING_RESISTANT 1)
# FP_MAX_BITS is set high solely to satisfy ssl_8k_key.test
# WolfSSL will use more stack space with it
SET(FP_MAX_BITS 16384)
SET(WOLFCRYPT_SOURCES ${WOLFCRYPT_SOURCES} ${WOLFCRYPT_SRCDIR}/tfm.c)
ELSE()
SET(WOLFCRYPT_SOURCES ${WOLFCRYPT_SOURCES} ${WOLFCRYPT_SRCDIR}/integer.c)
Expand All @@ -124,6 +122,7 @@ IF(WOLFSSL_INTELASM)
SET(USE_INTEL_SPEEDUP 1)
LIST(APPEND WOLFCRYPT_SOURCES
${WOLFCRYPT_SRCDIR}/aes_asm.S
${WOLFCRYPT_SRCDIR}/aes_gcm_asm.S
${WOLFCRYPT_SRCDIR}/sha512_asm.S
${WOLFCRYPT_SRCDIR}/sha256_asm.S)
ADD_DEFINITIONS(-maes -msse4 -mpclmul)
Expand Down
14 changes: 13 additions & 1 deletion extra/wolfssl/user_settings.h.in
View file
Open in desktop
Expand Up @@ -21,13 +21,25 @@
#define NO_WOLFSSL_STUB
#define OPENSSL_ALL
#define WOLFSSL_ALLOW_TLSV10
#define FP_MAX_BITS 16384
#define HAVE_FFDHE_8192
#define HAVE_FFDHE_6144
#define HAVE_FFDHE_4096
#define HAVE_FFDHE_3072
#define HAVE_FFDHE_2048
#define WOLFSSL_TLS13
#define WC_RSA_PSS
#define HAVE_HKDF
#define HAVE_AEAD
#define HAVE_SUPPORTED_CURVES
#define HAVE_AESGCM
#define WOLFSSL_AES_256

#cmakedefine WOLFSSL_AESNI
#cmakedefine USE_FAST_MATH
#cmakedefine TFM_TIMING_RESISTANT
#cmakedefine HAVE_INTEL_RDSEED
#cmakedefine USE_INTEL_SPEEDUP
#cmakedefine FP_MAX_BITS @FP_MAX_BITS@
#cmakedefine USE_FAST_MATH
#cmakedefine WOLFSSL_X86_64_BUILD

Expand Down
2 changes: 1 addition & 1 deletion include/mysql/service_my_crypt.h
View file
Open in desktop
Expand Up @@ -45,7 +45,7 @@ extern "C" {
/* The max key length of all supported algorithms */
#define MY_AES_MAX_KEY_LENGTH 32

#define MY_AES_CTX_SIZE 600
#define MY_AES_CTX_SIZE 624

enum my_aes_mode {
MY_AES_ECB, MY_AES_CBC
Expand Down
2 changes: 1 addition & 1 deletion mysql-test/main/ssl_8k_key.test
View file
Open in desktop
Expand Up @@ -2,7 +2,7 @@
#
# Bug#29784 YaSSL assertion failure when reading 8k key.
#
--exec $MYSQL --connect-timeout=180 --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SELECT (VARIABLE_VALUE <> '') as have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'" 2>&1
--exec $MYSQL --connect-timeout=180 --ssl --tls-version=TLSv1.1 --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SELECT (VARIABLE_VALUE <> '') as have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'" 2>&1
Copy link
Member

@vaintroub vaintroub May 2, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this --tls-version change needed?


## This test file is for testing encrypted communication only, not other
## encryption routines that the SSL library happens to provide!
14 changes: 7 additions & 7 deletions mysql-test/main/ssl_cipher.result
View file
Open in desktop
Expand Up @@ -3,15 +3,15 @@ create user ssl_user2@localhost require cipher 'AES256-SHA';
create user ssl_user3@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client';
create user ssl_user4@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client' ISSUER '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB';
create user ssl_user5@localhost require cipher 'AES256-SHA' AND SUBJECT 'xxx';
connect con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA;
connect con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA TLS-VERSION=TLSv1.1;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess you need TLS-VERSION=TLSv1,TLSv1.1,TLSv1.2 here, and in all other places
this excludes TLSv1.3, this is what you want to do, TLS-VERSION=TLSv1.1 would force 1.1 instead

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or, you can maybe automatically set tls_version to "TLSv1,TLSv1.1,TLSv1.2", whenever SSL-CIPHER is given, this would minimize the patch

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the behaviour of implicit tls_version when SSL-CIPHER Is given. Good idea. I'll probably take a diversion to MDEV-21965 as it has some implications on what the behaviour here should be.

I'm also the the depths of EVP_CipherFinal_ex differences between openssl and wolfssl in the aes unittest failure on AES-GCM. So much for a quick enablement PR.

connect(localhost,ssl_user2,,test,MASTER_PORT,MASTER_SOCKET);
connect con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA;
connect con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA TLS-VERSION=TLSv1.1;
ERROR 28000: Access denied for user 'ssl_user2'@'localhost' (using password: NO)
connect con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA;
connect con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA;
connect con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA;
connect con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA TLS-VERSION=TLSv1.1;
connect con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA TLS-VERSION=TLSv1.1;
connect con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA TLS-VERSION=TLSv1.1;
connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET);
connect con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA;
connect con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA TLS-VERSION=TLSv1.1;
ERROR 28000: Access denied for user 'ssl_user5'@'localhost' (using password: NO)
connection con1;
SHOW STATUS LIKE 'Ssl_cipher';
Expand Down Expand Up @@ -57,7 +57,7 @@ Variable_name Value
Ssl_cipher AES256-SHA
drop user mysqltest_1@localhost;
# restart: --ssl-cipher=AES128-SHA
connect ssl_con,localhost,root,,,,,SSL;
connect ssl_con,localhost,root,,,,,SSL TLS-VERSION=TLSv1.1;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES128-SHA
Expand Down
14 changes: 7 additions & 7 deletions mysql-test/main/ssl_cipher.test
View file
Open in desktop
Expand Up @@ -14,16 +14,16 @@ create user ssl_user3@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/S
create user ssl_user4@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client' ISSUER '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB';
create user ssl_user5@localhost require cipher 'AES256-SHA' AND SUBJECT 'xxx';

connect (con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA);
connect (con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA TLS-VERSION=TLSv1.1);
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA);
connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA);
connect (con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA);
connect (con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA);
connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA TLS-VERSION=TLSv1.1);
connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA TLS-VERSION=TLSv1.1);
connect (con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA TLS-VERSION=TLSv1.1);
connect (con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA TLS-VERSION=TLSv1.1);
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
connect (con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA);
connect (con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA TLS-VERSION=TLSv1.1);

connection con1;
SHOW STATUS LIKE 'Ssl_cipher';
Expand Down Expand Up @@ -96,7 +96,7 @@ drop user mysqltest_1@localhost;
#
let $restart_parameters=--ssl-cipher=AES128-SHA;
source include/restart_mysqld.inc;
connect (ssl_con,localhost,root,,,,,SSL);
connect (ssl_con,localhost,root,,,,,SSL TLS-VERSION=TLSv1.1);
SHOW STATUS LIKE 'Ssl_cipher';
SHOW STATUS LIKE 'Ssl_cipher_list';
disconnect ssl_con;
Expand Down
4 changes: 2 additions & 2 deletions vio/viosslfactories.c
View file
Open in desktop
Expand Up @@ -190,7 +190,7 @@ static long vio_tls_protocol_options(ulonglong tls_version)
#ifdef TLS1_3_VERSION
SSL_OP_NO_TLSv1_3 |
#endif
#if defined(TLS1_2_VERSION) || defined(HAVE_WOLFSSL)
#if defined(TLS1_2_VERSION)
SSL_OP_NO_TLSv1_2 |
#endif
SSL_OP_NO_TLSv1_1 |
Expand All @@ -205,7 +205,7 @@ static long vio_tls_protocol_options(ulonglong tls_version)
disabled_tls_protocols&= ~SSL_OP_NO_TLSv1;
if (tls_version & VIO_TLSv1_1)
disabled_tls_protocols&= ~SSL_OP_NO_TLSv1_1;
#if defined(TLS1_2_VERSION) || defined(HAVE_WOLFSSL)
#if defined(TLS1_2_VERSION)
if (tls_version & VIO_TLSv1_2)
disabled_tls_protocols&= ~SSL_OP_NO_TLSv1_2;
#endif
Expand Down