diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2022-10-04 13:20:29 +0100 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2022-10-04 13:24:35 +0100 |
commit | 96751ae76e6c6db435f5a4f141511d6f973b6583 (patch) | |
tree | a28e76afda4822ecec068ad65c8b438ebd698d28 /src | |
parent | ece23f05d6a430a461a75639197271c23f6858ec (diff) | |
download | exim4-96751ae76e6c6db435f5a4f141511d6f973b6583.tar.gz |
OpenSSL: fix configuration of older TLS protocol versions
Diffstat (limited to 'src')
-rw-r--r-- | src/src/tls-openssl.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 0129fb93e..9ddb16fc4 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -2210,7 +2210,9 @@ already exists. Might even need this selfsame callback, for reneg? */ SSL_CTX * ctx = state_server.lib_state.lib_ctx; SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(ctx)); SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(ctx)); + SSL_CTX_set_min_proto_version(server_sni, SSL3_VERSION); SSL_CTX_set_options(server_sni, SSL_CTX_get_options(ctx)); + SSL_CTX_clear_options(server_sni, ~SSL_CTX_get_options(ctx)); SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(ctx)); SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb); SSL_CTX_set_tlsext_servername_arg(server_sni, state); @@ -2726,10 +2728,15 @@ if (init_options) } #endif - DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options); - if (!(SSL_CTX_set_options(ctx, init_options))) - return tls_error(string_sprintf( + SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); + DEBUG(D_tls) debug_printf("setting SSL CTX options: %016lx\n", init_options); + SSL_CTX_set_options(ctx, init_options); + { + ulong readback = SSL_CTX_clear_options(ctx, ~init_options); + if (readback != init_options) + return tls_error(string_sprintf( "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr); + } } else DEBUG(D_tls) debug_printf("no SSL CTX options to set\n"); |