Allow TLS 1.2 connections when using openssl

Adding TLS 1.2 support will allow us to be more future-proof and have better ciphersuites such as as the use of ECDHE-ECDSA-AES256-GCM-SHA384. This patch allows tls 1.2. 1.1 and 1.0 while the broken sslv2 and sslv3 are disabled. Fixes #440: Allow TLS 1.2 connections when using openssl
bareos · May 9, 2015 · fc760fc · fc760fc
1 parent 9d89f10
commit fc760fc
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/AUTHORS b/AUTHORS
@@ -22,6 +22,7 @@ Ben Walton
 Bernd Frick
 Bill Moran
 Bruno Friedmann
+Camilo Viecco
 Carlos A. Molina G
 Carsten Paeth
 Chris Lee

diff --git a/src/lib/tls_openssl.c b/src/lib/tls_openssl.c
@@ -390,15 +390,25 @@ TLS_CONTEXT *new_tls_context(const char *ca_certfile,
    ctx = (TLS_CONTEXT *)malloc(sizeof(TLS_CONTEXT));
 
    /*
-    * Allocate our OpenSSL TLSv1 Context
+    * Allocate our OpenSSL Context
+    * We allow tls 1.2. 1.1 and 1.0
     */
-   ctx->openssl = SSL_CTX_new(TLSv1_method());
-
+   ctx->openssl = SSL_CTX_new(SSLv23_method());
    if (!ctx->openssl) {
       openssl_post_errors(M_FATAL, _("Error initializing SSL context"));
       goto err;
    }
 
+   /*
+    * Enable all Bug Workarounds
+    */
+   SSL_CTX_set_options(ctx->openssl, SSL_OP_ALL);
+
+   /*
+    * Disallow broken sslv2 and sslv3.
+    */
+   SSL_CTX_set_options(ctx->openssl, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+
    /*
     * Set up pem encryption callback
     */