diff options
author | Raymond Tau <raymondtau@gmail.com> | 2015-11-09 19:55:24 +0300 |
---|---|---|
committer | Raymond Tau <raymondtau@gmail.com> | 2015-11-09 19:55:24 +0300 |
commit | 8b1b67faedaac1c84c54874aa50a1e89952915af (patch) | |
tree | 95c0af6c6aae09da9315f1bf56877e08be5dbb11 /src/Mayaqua | |
parent | d3a1b26413acf3b387475f9ec5c4cbd93c5ffffe (diff) |
Introduce DisableSslVersions.
The SSL Versions specified will be disabled on server context.
Diffstat (limited to 'src/Mayaqua')
-rw-r--r-- | src/Mayaqua/Network.c | 23 | ||||
-rw-r--r-- | src/Mayaqua/Network.h | 1 |
2 files changed, 17 insertions, 7 deletions
diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index def2f45e..e0395aa4 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -12966,15 +12966,24 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch {
if (sock->ServerMode)
{
- if (sock->AcceptOnlyTls == false)
- {
- SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());
+ SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());
+ long ssl_opt_flags=0x0L;
+ if (sock->DisableSslVersions & SSL_VERSION_SSL_V2) {
+ ssl_opt_flags |= SSL_OP_NO_SSLv2;
}
- else
- {
- SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_method());
+ if (sock->DisableSslVersions & SSL_VERSION_SSL_V3) {
+ ssl_opt_flags |= SSL_OP_NO_SSLv3;
}
-
+ if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_0) {
+ ssl_opt_flags |= SSL_OP_NO_TLSv1;
+ }
+ if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_1) {
+ ssl_opt_flags |= SSL_OP_NO_TLSv1_1;
+ }
+ if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_2) {
+ ssl_opt_flags |= SSL_OP_NO_TLSv1_2;
+ }
+ SSL_CTX_set_options(ssl_ctx, ssl_opt_flags);
Unlock(openssl_lock);
AddChainSslCertOnDirectory(ssl_ctx);
Lock(openssl_lock);
diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h index 6f51bedf..18024c4b 100644 --- a/src/Mayaqua/Network.h +++ b/src/Mayaqua/Network.h @@ -313,6 +313,7 @@ struct SOCK UINT Reverse_MyServerPort; // Self port number when using the reverse socket
UCHAR Ssl_Init_Async_SendAlert[2]; // Initial state of SSL send_alert
bool AcceptOnlyTls; // Accept only TLS (disable SSLv3)
+ UINT DisableSslVersions; // Bitmap of SSL Version to disable
bool RawIP_HeaderIncludeFlag;
#ifdef ENABLE_SSL_LOGGING
|