From 68a1f70275d3ceefa8f2759c5dc6f6e498e073d6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9mie=20Courr=C3=A8ges-Anglas?= <address@hidden>
Date: Mon, 1 Dec 2014 13:41:59 +0100
Subject: [PATCH 1/2] openssl backend: repair use of TLSv1+ protocols

The use of TLSv1_client_method() means that the protocol used will be
limited to TLSv1.0.  This is not desirable for --secure-protocol values
of "auto" (default) and "pfs".  Fix by using SSLv23_client_method() and
disabling SSLv[23].

Issue reported by Mikolaj Kucharski.
---
 src/openssl.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/openssl.c b/src/openssl.c
index 38c6ac4..81da5a2 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -203,6 +203,8 @@ ssl_init (void)
   SSLeay_add_all_algorithms ();
   SSLeay_add_ssl_algorithms ();
 
+  long ssl_options = 0;
+
   switch (opt.secure_protocol)
     {
 #ifndef OPENSSL_NO_SSL2
@@ -219,6 +221,9 @@ ssl_init (void)
 
     case secure_protocol_auto:
     case secure_protocol_pfs:
+      meth = SSLv23_client_method ();
+      ssl_options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+      break;
     case secure_protocol_tlsv1:
       meth = TLSv1_client_method ();
       break;
@@ -253,6 +258,9 @@ ssl_init (void)
   if (!ssl_ctx)
     goto error;
 
+  if (ssl_options)
+    SSL_CTX_set_options (ssl_ctx, ssl_options);
+
   /* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html
    * Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more)
    */
-- 
2.1.3