diff options
| author | Andrej Shadura <andrewsh@debian.org> | 2018-12-15 15:31:57 +0100 |
|---|---|---|
| committer | Andrej Shadura <andrewsh@debian.org> | 2018-12-15 15:31:57 +0100 |
| commit | 864ef1cca6de58ef238b4330a35ba940ebe87e70 (patch) | |
| tree | 224357a77e638aa80082c8401e3113e30761d542 | |
| parent | 27c5db9c1ae15a7e78541b3cc8e1f1790a12a210 (diff) | |
Enable TLSv1.0 by default
OpenSSL 1.1.1 disables TLSv1.0 by default and sets the security level to 2.
Some older networks may support for TLSv1.0 and less secure cyphers.
Gbp-Pq: Name allow-tlsv1.patch
| -rw-r--r-- | src/crypto/tls_openssl.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 0d5ebda..b55341f 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -988,6 +988,13 @@ void * tls_init(const struct tls_config *conf) os_free(data); return NULL; } + +#ifndef EAP_SERVER_TLS + /* Enable TLSv1.0 by default to allow connecting to legacy + * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */ + SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION); +#endif + data->ssl = ssl; if (conf) data->tls_session_lifetime = conf->tls_session_lifetime; |