From 061cecdbec63bc199930ea64ef6fbb4f1661b577 Mon Sep 17 00:00:00 2001
From: Michael Penick <michael.penick@datastax.com>
Date: Fri, 17 Jul 2020 16:06:03 -0400
Subject: [PATCH] Limit to TLS 1.2 (and below)

---
 src/ssl/ssl_openssl_impl.cpp | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/ssl/ssl_openssl_impl.cpp b/src/ssl/ssl_openssl_impl.cpp
index 4d60d3765..29d26ef51 100644
--- a/src/ssl/ssl_openssl_impl.cpp
+++ b/src/ssl/ssl_openssl_impl.cpp
@@ -436,9 +436,6 @@ OpenSslSession::OpenSslSession(const Address& address, const String& hostname,
     , incoming_bio_(rb::RingBufferBio::create(&incoming_state_))
     , outgoing_bio_(rb::RingBufferBio::create(&outgoing_state_)) {
   SSL_set_bio(ssl_, incoming_bio_, outgoing_bio_);
-#if DEBUG_SSL
-  SSL_CTX_set_info_callback(ssl_ctx, ssl_info_callback);
-#endif
   SSL_set_connect_state(ssl_);
 
   if (!sni_server_name_.empty()) {
@@ -542,6 +539,11 @@ OpenSslContext::OpenSslContext()
     , trusted_store_(X509_STORE_new()) {
   SSL_CTX_set_cert_store(ssl_ctx_, trusted_store_);
   SSL_CTX_set_verify(ssl_ctx_, SSL_VERIFY_NONE, ssl_no_verify_callback);
+  // Limit to TLS 1.2 for now. TLS 1.3 has broken the handshake code.
+  SSL_CTX_set_max_proto_version(ssl_ctx_, TLS1_2_VERSION);
+#if DEBUG_SSL
+  SSL_CTX_set_info_callback(ssl_ctx_, ssl_info_callback);
+#endif
 }
 
 OpenSslContext::~OpenSslContext() { SSL_CTX_free(ssl_ctx_); }