libfreerdp-core: tls: negotiate TLS protocol version. explicitly disallow SSLv2/v3 to be used since theyr'e deprecated.

TLSv1.2 is the de-facto standard which is widely used those days, so we need to be able to support it. This change will also allow TLSv1.1, and might allow newer protocols like TLSv1.3 at the future, when they will be added to OpenSSL. ref: https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_new.html
author: Idan <speidy@gmail.com> 2018-03-10 10:13:48 +0300
committer: speidy <speidy@gmail.com> 2018-03-26 15:24:44 +0300
commit: e723ba07959dfd6da0795b9f7f93c979657af8c8 (patch)
tree: 82dfc085cdb9603de9bda6727f7961e00566a223
parent: 55b684404acd72ffff74a725fd2312332f3bb63c (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/libfreerdp-core/tls.c b/libfreerdp-core/tls.c
index e1530e3..1e79da7 100644
--- a/libfreerdp-core/tls.c
+++ b/libfreerdp-core/tls.c
@@ -35,7 +35,7 @@ tbool tls_connect(rdpTls* tls)
 	int connection_status;
 
 	LLOGLN(10, ("tls_connect:"));
-	tls->ctx = SSL_CTX_new(TLSv1_client_method());
+	tls->ctx = SSL_CTX_new(SSLv23_client_method());
 
 	if (tls->ctx == NULL)
 	{
@@ -52,6 +52,9 @@ tbool tls_connect(rdpTls* tls)
 	 * won't recognize it and will disconnect you after sending a TLS alert.
 	 */
 	SSL_CTX_set_options(tls->ctx, SSL_OP_ALL);
+	
+	// Explicitly disable deprecated SSL protocols
+	SSL_CTX_set_options(tls->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
 
 	tls->ssl = SSL_new(tls->ctx);
author	Idan <speidy@gmail.com>	2018-03-10 10:13:48 +0300
committer	speidy <speidy@gmail.com>	2018-03-26 15:24:44 +0300
commit	e723ba07959dfd6da0795b9f7f93c979657af8c8 (patch)
tree	82dfc085cdb9603de9bda6727f7961e00566a223
parent	55b684404acd72ffff74a725fd2312332f3bb63c (diff)