Add a way to disable older SSL versions with ssl_openssl.

author: Peter Powell <petpow@saberuk.com> 2019-06-10 11:33:55 +0100
committer: Peter Powell <petpow@saberuk.com> 2019-06-10 11:33:55 +0100
commit: df9ca5115b64bc5b7888dee3123d0bf6527c496d (patch)
tree: ab19bb015e22e8b14ea29d829e86afe97d788e8e /src/modules
parent: dbcad43824c1e0a89b2d46faddd3d301c2b06493 (diff)
1 files changed, 16 insertions, 1 deletions
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index 3ebc8e4d9..4937e7cb0 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -336,14 +336,29 @@ namespace OpenSSL
 		{
 			long setoptions = tag->getInt(ctxname + "setoptions", 0);
 			long clearoptions = tag->getInt(ctxname + "clearoptions", 0);
+
 #ifdef SSL_OP_NO_COMPRESSION
-			if (!tag->getBool("compression", false)) // Disable compression by default
+			// Disable compression by default
+			if (!tag->getBool("compression", false))
 				setoptions |= SSL_OP_NO_COMPRESSION;
 #endif
+
 			// Disable TLSv1.0 by default.
 			if (!tag->getBool("tlsv1", false))
 				setoptions |= SSL_OP_NO_TLSv1;
 
+#ifdef SSL_OP_NO_TLSv1_1
+			// Enable TLSv1.1 by default.
+			if (!tag->getBool("tlsv11", true))
+				setoptions |= SSL_OP_NO_TLSv1_1;
+#endif
+
+#ifdef SSL_OP_NO_TLSv1_2
+			// Enable TLSv1.2 by default.
+			if (!tag->getBool("tlsv12", true))
+				setoptions |= SSL_OP_NO_TLSv1_2;
+#endif
+
 			if (!setoptions && !clearoptions)
 				return; // Nothing to do
author	Peter Powell <petpow@saberuk.com>	2019-06-10 11:33:55 +0100
committer	Peter Powell <petpow@saberuk.com>	2019-06-10 11:33:55 +0100
commit	df9ca5115b64bc5b7888dee3123d0bf6527c496d (patch)
tree	ab19bb015e22e8b14ea29d829e86afe97d788e8e /src/modules
parent	dbcad43824c1e0a89b2d46faddd3d301c2b06493 (diff)