Introduce DisableSslVersions.

The SSL Versions specified will be disabled on server context.

2 files changed, 17 insertions, 7 deletions

diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c
index def2f45e..e0395aa4 100644
--- a/src/Mayaqua/Network.c
+++ b/src/Mayaqua/Network.c
@@ -12966,15 +12966,24 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
 	{

 		if (sock->ServerMode)

 		{

-			if (sock->AcceptOnlyTls == false)

-			{

-				SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());

+			SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());

+			long ssl_opt_flags=0x0L;

+			if (sock->DisableSslVersions & SSL_VERSION_SSL_V2) {

+				ssl_opt_flags |= SSL_OP_NO_SSLv2;

 			}

-			else

-			{

-				SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_method());

+			if (sock->DisableSslVersions & SSL_VERSION_SSL_V3) {

+				ssl_opt_flags |= SSL_OP_NO_SSLv3;

 			}

-

+			if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_0) {

+				ssl_opt_flags |= SSL_OP_NO_TLSv1;

+			}

+			if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_1) {

+				ssl_opt_flags |= SSL_OP_NO_TLSv1_1;

+			}

+			if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_2) {

+				ssl_opt_flags |= SSL_OP_NO_TLSv1_2;

+			}

+			SSL_CTX_set_options(ssl_ctx, ssl_opt_flags);

 			Unlock(openssl_lock);

 			AddChainSslCertOnDirectory(ssl_ctx);

 			Lock(openssl_lock);

diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h
index 6f51bedf..18024c4b 100644
--- a/src/Mayaqua/Network.h
+++ b/src/Mayaqua/Network.h
@@ -313,6 +313,7 @@ struct SOCK
 	UINT Reverse_MyServerPort;		// Self port number when using the reverse socket

 	UCHAR Ssl_Init_Async_SendAlert[2];	// Initial state of SSL send_alert

 	bool AcceptOnlyTls;			// Accept only TLS (disable SSLv3)

+	UINT DisableSslVersions;	// Bitmap of SSL Version to disable

 	bool RawIP_HeaderIncludeFlag;

 

 #ifdef	ENABLE_SSL_LOGGING