From 1cb4d2f0c9429773cf4b1ac366c464e321f3a3ea Mon Sep 17 00:00:00 2001 From: Matus Honek Date: Thu, 25 Feb 2021 17:05:17 +0000 Subject: [PATCH] ITS#8904 - Ensure SSLv3 is enabled when necessary Either at compilation time, or as a system-wide configuration, OpenSSL may have disabled SSLv3 protocol by default. This change ensures the protocol NO flag is cleared when necessary, hence allowing for the protocol to be used. --- libraries/libldap/tls_o.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c index f4d5401e3a..8aea072f3f 100644 --- a/libraries/libldap/tls_o.c +++ b/libraries/libldap/tls_o.c @@ -317,8 +317,10 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) #endif if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL3 ) SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 ); - else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 ) + else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 ) { SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 ); + SSL_CTX_clear_options( ctx, SSL_OP_NO_SSLv3 ); + } if ( lo->ldo_tls_ciphersuite && !SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) )