From 3289d8482c3736cca96f0e858775c45ad611a793 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 27 Feb 2017 14:40:30 +0000
Subject: [PATCH] - Fix #1227: Fix that Unbound control allows weak
 ciphersuits.

git-svn-id: file:///svn/unbound/trunk@4027 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 daemon/remote.c | 18 ++++++++++++++++++
 doc/Changelog   |  3 +++
 2 files changed, 21 insertions(+)

diff --git a/daemon/remote.c b/daemon/remote.c
index 681c57906..ac057f99d 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -242,6 +242,24 @@ daemon_remote_create(struct config_file* cfg)
 		daemon_remote_delete(rc);
 		return NULL;
 	}
+#if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1)
+	/* if we have tls 1.1 disable 1.0 */
+	if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
+		!= SSL_OP_NO_TLSv1){
+		log_crypto_err("could not set SSL_OP_NO_TLSv1");
+		daemon_remote_delete(rc);
+		return NULL;
+	}
+#endif
+#if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
+	/* if we have tls 1.2 disable 1.1 */
+	if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
+		!= SSL_OP_NO_TLSv1_1){
+		log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
+		daemon_remote_delete(rc);
+		return NULL;
+	}
+#endif
 
 	if (cfg->remote_control_use_cert == 0) {
 		/* No certificates are requested */
diff --git a/doc/Changelog b/doc/Changelog
index c52dcacab..1a2cee1e7 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+27 February 2017: Wouter
+	- Fix #1227: Fix that Unbound control allows weak ciphersuits.
+
 24 February 2017: Wouter
 	- include sys/time.h for new shm code on NetBSD.