When a user configures a single protocol, e.g. "TLSProtocol TLSv1", make

sure that we explicitly disable all of the other supported versions.
proftpd · Oct 16, 2014 · 9ff303e · 9ff303e
1 parent 8ecf81a
commit 9ff303e
Showing 1 changed file with 38 additions and 4 deletions.
diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c
@@ -2808,21 +2808,55 @@ static int tls_init_server(void) {
 #endif /* OpenSSL-1.0.1 or later */
 
   } else if (tls_protocol == TLS_PROTO_SSL_V3) {
-    SSL_CTX_set_ssl_version(ssl_ctx, SSLv3_server_method());
+    int disable_proto = (SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1);
+
+#ifdef SSL_OP_NO_TLSv1_1
+    disable_proto |= SSL_OP_NO_TLSv1_1;
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+    disable_proto |= SSL_OP_NO_TLSv1_2;
+#endif
+
     pr_log_debug(DEBUG8, MOD_TLS_VERSION ": supporting SSLv3 protocol only");
+    SSL_CTX_set_ssl_version(ssl_ctx, SSLv3_server_method());
+    SSL_CTX_set_options(ssl_ctx, disable_proto);
 
   } else if (tls_protocol == TLS_PROTO_TLS_V1) {
-    SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_server_method());
+    int disable_proto = (SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
+
+#ifdef SSL_OP_NO_TLSv1_1
+    disable_proto |= SSL_OP_NO_TLSv1_1;
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+    disable_proto |= SSL_OP_NO_TLSv1_2;
+#endif
+
     pr_log_debug(DEBUG8, MOD_TLS_VERSION ": supporting TLSv1 protocol only");
+    SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_server_method());
+    SSL_CTX_set_options(ssl_ctx, disable_proto);
 
 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
   } else if (tls_protocol == TLS_PROTO_TLS_V1_1) {
-    SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_1_server_method());
+    int disable_proto = (SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
+
+#ifdef SSL_OP_NO_TLSv1_2
+    disable_proto |= SSL_OP_NO_TLSv1_2;
+#endif
+
     pr_log_debug(DEBUG8, MOD_TLS_VERSION ": supporting TLSv1.1 protocol only");
+    SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_1_server_method());
+    SSL_CTX_set_options(ssl_ctx, disable_proto);
 
   } else if (tls_protocol == TLS_PROTO_TLS_V1_2) {
-    SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_2_server_method());
+    int disable_proto = (SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
+
+#ifdef SSL_OP_NO_TLSv1_1
+    disable_proto |= SSL_OP_NO_TLSv1_1;
+#endif
+
     pr_log_debug(DEBUG8, MOD_TLS_VERSION ": supporting TLSv1.2 protocol only");
+    SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_2_server_method());
+    SSL_CTX_set_options(ssl_ctx, disable_proto);
 
 #endif /* OpenSSL-1.0.1 or later */