From bc8974b9a3e4826ce542e10fcbc632a92c52d758 Mon Sep 17 00:00:00 2001
From: Jan Vidar Krey <janvidar@extatic.org>
Date: Tue, 23 Apr 2019 16:16:36 +0200
Subject: [PATCH] Add better TLS protocol negotiation for OpenSSL >1.0.1

---
 src/network/openssl.c | 37 ++++++++++++++++++++++++++-----------
 1 file changed, 26 insertions(+), 11 deletions(-)

diff --git a/src/network/openssl.c b/src/network/openssl.c
index 0aa065d..b8db5c2 100644
--- a/src/network/openssl.c
+++ b/src/network/openssl.c
@@ -129,7 +129,7 @@ static void add_io_stats(struct net_ssl_openssl* handle)
 	}
 }
 
-static const SSL_METHOD* get_ssl_method(const char* tls_version)
+static const SSL_METHOD* get_ssl_method(const struct net_context_openssl* ctx, const char* tls_version)
 {
 	if (!tls_version || !*tls_version)
 	{
@@ -137,6 +137,12 @@ static const SSL_METHOD* get_ssl_method(const char* tls_version)
 		return 0;
 	}
 
+	/* Disable SSLv2 */
+	SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_SSLv2);
+
+	/* Disable SSLv3 */
+	SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_SSLv3);
+
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (!strcmp(tls_version, "1.0"))
 	  return TLSv1_method();
@@ -148,7 +154,24 @@ static const SSL_METHOD* get_ssl_method(const char* tls_version)
 	LOG_ERROR("Unable to recognize tls_version.");
 	return 0;
 #else
-	LOG_WARN("tls_version is obsolete, and should not be used.");
+        if (!strcmp(tls_version, "1.0"))
+        {
+            // Not much to do - allow TLS 1.0 and above.
+        }
+
+        if (!strcmp(tls_version, "1.1"))
+        {
+            // Disable anything below TLS 1.1
+            SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_TLSv1);
+        }
+
+        if (!strcmp(tls_version, "1.2"))
+        {
+            // Disable anything below TLS 1.2
+            SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_TLSv1);
+            SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_TLSv1_1);
+        }
+
 	return TLS_method();
 #endif
 }
@@ -185,7 +208,7 @@ static int alpn_server_select_protocol(SSL *ssl, const unsigned char **out, unsi
 struct ssl_context_handle* net_ssl_context_create(const char* tls_version, const char* tls_ciphersuite)
 {
 	struct net_context_openssl* ctx = (struct net_context_openssl*) hub_malloc_zero(sizeof(struct net_context_openssl));
-	const SSL_METHOD* ssl_method = get_ssl_method(tls_version);
+	const SSL_METHOD* ssl_method = get_ssl_method(ctx, tls_version);
 
 	if (!ssl_method)
 	{
@@ -195,14 +218,6 @@ struct ssl_context_handle* net_ssl_context_create(const char* tls_version, const
 
 	ctx->ssl = SSL_CTX_new(ssl_method);
 
-	/* Disable SSLv2 */
-	SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_SSLv2);
-
-// #ifdef SSL_OP_NO_SSLv3
-	/* Disable SSLv3 */
-	SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_SSLv3);
-// #endif
-
 	// FIXME: Why did we need this again?
 	SSL_CTX_set_quiet_shutdown(ctx->ssl, 1);