afclient: use whatever version of TLS (or better) we can.

Refuse to use pre-TLS SSL, since now SSLv3 has been broken by POODLE attack.
author: Joshua Judson Rosen 2014-10-20 00:31:21 -0400
committer: Joshua Judson Rosen 2014-10-20 00:31:21 -0400
commit: 91a72baa658628354bd7adba45fb6071356898bd (patch)
tree: c4eb6f78e1d5a15a9a23119f1433b4f470803f48
parent: afserver: avoid requiring a specific SSL protocol version (diff)
download: apf-91a72baa658628354bd7adba45fb6071356898bd.tar.gz
1 files changed, 10 insertions, 1 deletions
diff --git a/src/afclient.c b/src/afclient.c
index 5a823eb..9eaee7f 100644
--- a/src/afclient.c
+++ b/src/afclient.c
@@ -673,8 +673,17 @@ main(int argc, char **argv)
   
   if (ClientRealm_get_clientMode(pointer) != CLIENTREALM_MODE_REVERSE) {
     SSL_library_init();
-    method = SSLv3_client_method();
+
+    /* Use the latest TLS version we can: */
+    method = SSLv23_client_method();
     ctx = SSL_CTX_new(method);
+    /* Both SSLv2 and SSLv3 are broken--refuse to use them;
+       this should get us at least some version of TLS,
+       ideally whatever the best both our OpenSSL library
+       and the server's OpenSSL library can support:
+    */
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+
     if (SSL_CTX_set_cipher_list(ctx, "ALL:@STRENGTH") == 0) {
       aflog(LOG_T_INIT, LOG_I_CRIT,
           "Setting cipher list failed... exiting");
author	Joshua Judson Rosen	2014-10-20 00:31:21 -0400
committer	Joshua Judson Rosen	2014-10-20 00:31:21 -0400
commit	91a72baa658628354bd7adba45fb6071356898bd (patch)
tree	c4eb6f78e1d5a15a9a23119f1433b4f470803f48
parent	afserver: avoid requiring a specific SSL protocol version (diff)
download	apf-91a72baa658628354bd7adba45fb6071356898bd.tar.gz