2020-04-06 09:50:10 +00:00
|
|
|
--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200
|
|
|
|
|
+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200
|
|
|
|
|
@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
|
|
|
|
ICON_IMAGE load_icon_file(const char *);
|
|
|
|
|
#endif
|
|
|
|
|
|
2020-04-06 17:51:49 +00:00
|
|
|
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
|
|
|
|
|
+ crypto policies */
|
2020-04-06 09:50:10 +00:00
|
|
|
+
|
|
|
|
|
#endif /* defined PROTOTYPES_H */
|
|
|
|
|
|
|
|
|
|
/* end of prototypes.h */
|
|
|
|
|
--- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 11:14:41.993334510 +0200
|
|
|
|
|
+++ stunnel-5.56/src/options.c 2020-04-06 11:22:37.393391977 +0200
|
|
|
|
|
@@ -3142,7 +3142,10 @@ NOEXPORT char *parse_service_option(CMD
|
|
|
|
|
/* sslVersionMax */
|
|
|
|
|
switch(cmd) {
|
|
|
|
|
case CMD_SET_DEFAULTS:
|
|
|
|
|
- section->max_proto_version=0; /* highest supported */
|
|
|
|
|
+ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
|
|
|
|
+ OpenSSL crypto
|
|
|
|
|
+ policies.Do not
|
|
|
|
|
+ override it */
|
|
|
|
|
break;
|
|
|
|
|
case CMD_SET_COPY:
|
|
|
|
|
section->max_proto_version=new_service_options.max_proto_version;
|
|
|
|
|
@@ -3173,7 +3176,10 @@ NOEXPORT char *parse_service_option(CMD
|
|
|
|
|
/* sslVersionMin */
|
|
|
|
|
switch(cmd) {
|
|
|
|
|
case CMD_SET_DEFAULTS:
|
|
|
|
|
- section->min_proto_version=TLS1_VERSION;
|
|
|
|
|
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
|
|
|
|
+ OpenSSL crypto
|
|
|
|
|
+ policies. Do not
|
|
|
|
|
+ override it */
|
|
|
|
|
break;
|
|
|
|
|
case CMD_SET_COPY:
|
|
|
|
|
section->min_proto_version=new_service_options.min_proto_version;
|
|
|
|
|
--- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200
|
|
|
|
|
+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200
|
|
|
|
|
@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio
|
|
|
|
|
section->ctx=SSL_CTX_new(TLS_client_method());
|
|
|
|
|
else /* server mode */
|
|
|
|
|
section->ctx=SSL_CTX_new(TLS_server_method());
|
|
|
|
|
- if(!SSL_CTX_set_min_proto_version(section->ctx,
|
|
|
|
|
- section->min_proto_version)) {
|
|
|
|
|
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
|
|
|
|
- section->min_proto_version);
|
|
|
|
|
- return 1; /* FAILED */
|
|
|
|
|
+
|
|
|
|
|
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
|
|
|
|
|
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
|
|
|
|
|
+ OpenSSL crypto policies. Not setting explicitly.");
|
|
|
|
|
+ } else {
|
|
|
|
|
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
|
|
|
|
|
+ section->min_proto_version)) {
|
|
|
|
|
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
|
|
|
|
+ section->min_proto_version);
|
|
|
|
|
+ return 1; /* FAILED */
|
|
|
|
|
+ }
|
|
|
|
|
}
|
|
|
|
|
- if(!SSL_CTX_set_max_proto_version(section->ctx,
|
|
|
|
|
- section->max_proto_version)) {
|
|
|
|
|
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
|
|
|
|
- section->max_proto_version);
|
|
|
|
|
- return 1; /* FAILED */
|
|
|
|
|
+
|
|
|
|
|
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
|
|
|
|
|
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
|
|
|
|
|
+ OpenSSL crypto policies. Not setting explicitly");
|
|
|
|
|
+ } else {
|
|
|
|
|
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
|
|
|
|
|
+ section->max_proto_version)) {
|
|
|
|
|
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
|
|
|
|
+ section->max_proto_version);
|
|
|
|
|
+ return 1; /* FAILED */
|
|
|
|
|
+ }
|
|
|
|
|
}
|
|
|
|
|
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
|
|
|
|
if(section->option.client)
|
