Workaround for bug in behaviour of Ssl module

Signed-off-by: Thomas Sanders <thomas.sanders@citrix.com>
thomassa · Feb 18, 2016 · 1dc8494 · 1dc8494
1 parent ab27f96
commit 1dc8494
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/src/channels.ml b/src/channels.ml
@@ -92,8 +92,10 @@ let gen_sslctx legacy ciphers =
       Ssl.Client_context
   in
   if legacy then (
-    (* Disable SSL v2 and v3, and TLSv1.1, leaving only TLSv1.0 and TLSv1.2 *)
-    Ssl.disable_protocols ctx [Ssl.SSLv23; Ssl.TLSv1_1];
+    (* Disable SSL v2 and v3, leaving only TLSv1.0 and TLSv1.1 and TLSv1.2 *)
+    (* We don't need 1.1, but if we add it to the list then 1.2 gets disabled
+     * too: a bug in the Ssl module v0.5.2 (or the libssl it is using) *)
+    Ssl.disable_protocols ctx [Ssl.SSLv23];
   );
   Ssl.set_cipher_list ctx (match ciphers with
     | Some c -> c