diff options
author | Joshua Judson Rosen | 2014-10-20 00:31:21 -0400 |
---|---|---|
committer | Joshua Judson Rosen | 2014-10-20 00:31:21 -0400 |
commit | 91a72baa658628354bd7adba45fb6071356898bd (patch) | |
tree | c4eb6f78e1d5a15a9a23119f1433b4f470803f48 | |
parent | afserver: avoid requiring a specific SSL protocol version (diff) | |
download | apf-91a72baa658628354bd7adba45fb6071356898bd.tar.gz |
afclient: use whatever version of TLS (or better) we can.
Refuse to use pre-TLS SSL, since now SSLv3 has been broken by POODLE attack.
-rw-r--r-- | src/afclient.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/src/afclient.c b/src/afclient.c index 5a823eb..9eaee7f 100644 --- a/src/afclient.c +++ b/src/afclient.c @@ -673,8 +673,17 @@ main(int argc, char **argv) if (ClientRealm_get_clientMode(pointer) != CLIENTREALM_MODE_REVERSE) { SSL_library_init(); - method = SSLv3_client_method(); + + /* Use the latest TLS version we can: */ + method = SSLv23_client_method(); ctx = SSL_CTX_new(method); + /* Both SSLv2 and SSLv3 are broken--refuse to use them; + this should get us at least some version of TLS, + ideally whatever the best both our OpenSSL library + and the server's OpenSSL library can support: + */ + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + if (SSL_CTX_set_cipher_list(ctx, "ALL:@STRENGTH") == 0) { aflog(LOG_T_INIT, LOG_I_CRIT, "Setting cipher list failed... exiting"); |