From 38b6e62c6c8eb8bb40ba018a7cc995319e8817c0 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Sat, 12 Aug 2017 10:12:03 -0400 Subject: Improve tlscommon.c for openssl 1.1 * Pass in tls_method so that all versions of TLS can be supported * Disable sslv3; we should also disable TLS1 but that might be an issue since previous versions only supported TLS1 * We need to look at the ASN1 deprecated warnings, but figuring out a fix that works both for Centos and Debian is more time than I wanted to spend. The deprecated warning seems OK there, so make it not an error at least for now. --- radsecproxy/Makefile.am | 1 + radsecproxy/tlscommon.c | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/radsecproxy/Makefile.am b/radsecproxy/Makefile.am index dc5ffc4..872416b 100644 --- a/radsecproxy/Makefile.am +++ b/radsecproxy/Makefile.am @@ -21,3 +21,4 @@ if RS_ENABLE_TLS libradsec_radsecproxy_la_SOURCES += \ tlscommon.c tlscommon.h endif +libradsec_radsecproxy_la_CFLAGS = -Wno-error=deprecated diff --git a/radsecproxy/tlscommon.c b/radsecproxy/tlscommon.c index a31fa32..5a5660b 100644 --- a/radsecproxy/tlscommon.c +++ b/radsecproxy/tlscommon.c @@ -202,12 +202,12 @@ static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { switch (type) { #ifdef RADPROT_TLS case RAD_TLS: - ctx = SSL_CTX_new(TLSv1_method()); + ctx = SSL_CTX_new(TLS_method()); break; #endif #ifdef RADPROT_DTLS case RAD_DTLS: - ctx = SSL_CTX_new(DTLSv1_method()); + ctx = SSL_CTX_new(DTLS_method()); SSL_CTX_set_read_ahead(ctx, 1); break; #endif @@ -218,6 +218,7 @@ static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); return NULL; } + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3); #ifdef DEBUG SSL_CTX_set_info_callback(ctx, ssl_info_callback); #endif -- cgit v1.2.1