From 3a8ca319b35a3b3533b1f1ca55e904cfcb71962c Mon Sep 17 00:00:00 2001
From: Kevin Lin <developer@kevinlin.info>
Date: Mon, 31 May 2021 13:33:48 -0700
Subject: Configurable minimum supported TLS protocol version

`-o ssl_min_version` can be used to configure the server to only accept
handshakes from clients with a minimum TLS protocol version. Currently
supported options are TLS v1.0, TLS v1.1, TLS v1.2, and TLS v1.3
(OpenSSL 1.1.1+ only).
---
 tls.c | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

(limited to 'tls.c')

diff --git a/tls.c b/tls.c
index df42308..dcd7435 100644
--- a/tls.c
+++ b/tls.c
@@ -177,13 +177,12 @@ static bool load_server_certificates(char **errmsg) {
  */
 int ssl_init(void) {
     assert(settings.ssl_enabled);
+
     // SSL context for the process. All connections will share one
     // process level context.
     settings.ssl_ctx = SSL_CTX_new(TLS_server_method());
-    // Clients should use at least TLSv1.2
-    int flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
-                SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
-    SSL_CTX_set_options(settings.ssl_ctx, flags);
+
+    SSL_CTX_set_min_proto_version(settings.ssl_ctx, settings.ssl_min_version);
 
     // The server certificate, private key and validations.
     char *error_msg;
@@ -249,4 +248,21 @@ int ssl_new_session_callback(SSL *s, SSL_SESSION *sess) {
 bool refresh_certs(char **errmsg) {
     return load_server_certificates(errmsg);
 }
+
+const char *ssl_proto_text(int version) {
+    switch (version) {
+        case TLS1_VERSION:
+            return "tlsv1.0";
+        case TLS1_1_VERSION:
+            return "tlsv1.1";
+        case TLS1_2_VERSION:
+            return "tlsv1.2";
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+        case TLS1_3_VERSION:
+            return "tlsv1.3";
+#endif
+        default:
+            return "unknown";
+    }
+}
 #endif
-- 
cgit v1.2.1