upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-29 09:59:08 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

TLS: set some common options both for client and server contexts

Browse source 
This commit makes the TLS context manipulation code set some of the
common protocol versions regardless of the OpenSSL version in use.
This commit is contained in:
Artem Boldariev 2021-09-13 14:00:35 +03:00
parent aae268b6c8
commit 9e039986cd
1 changed files with 9 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
lib/isc/tls.c
View file

@ -33,6 +33,9 @@
#include "openssl_shim.h"
#include "tls_p.h"
#define COMMON_SSL_OPTIONS \
(SSL_OP_NO_COMPRESSION | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
static isc_once_t init_once = ISC_ONCE_INIT;
static isc_once_t shut_once = ISC_ONCE_INIT;
static atomic_bool init_done = ATOMIC_VAR_INIT(false);
@ -185,13 +188,13 @@ isc_tlsctx_createclient(isc_tlsctx_t **ctxp) {
goto ssl_error;
}
SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS);
#if HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
#else
SSL_CTX_set_options(
ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
SSL_OP_NO_TLSv1_1 | SSL_OP_NO_COMPRESSION |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
#endif
*ctxp = ctx;
@ -235,6 +238,8 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
}
RUNTIME_CHECK(ctx != NULL);
SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS);
#if HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
#else