summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJoshua Judson Rosen2014-10-20 00:31:21 -0400
committerJoshua Judson Rosen2014-10-20 00:31:21 -0400
commit91a72baa658628354bd7adba45fb6071356898bd (patch)
treec4eb6f78e1d5a15a9a23119f1433b4f470803f48 /src
parentafserver: avoid requiring a specific SSL protocol version (diff)
downloadapf-91a72baa658628354bd7adba45fb6071356898bd.tar.gz
afclient: use whatever version of TLS (or better) we can.
Refuse to use pre-TLS SSL, since now SSLv3 has been broken by POODLE attack.
Diffstat (limited to 'src')
-rw-r--r--src/afclient.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/src/afclient.c b/src/afclient.c
index 5a823eb..9eaee7f 100644
--- a/src/afclient.c
+++ b/src/afclient.c
@@ -673,8 +673,17 @@ main(int argc, char **argv)
if (ClientRealm_get_clientMode(pointer) != CLIENTREALM_MODE_REVERSE) {
SSL_library_init();
- method = SSLv3_client_method();
+
+ /* Use the latest TLS version we can: */
+ method = SSLv23_client_method();
ctx = SSL_CTX_new(method);
+ /* Both SSLv2 and SSLv3 are broken--refuse to use them;
+ this should get us at least some version of TLS,
+ ideally whatever the best both our OpenSSL library
+ and the server's OpenSSL library can support:
+ */
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+
if (SSL_CTX_set_cipher_list(ctx, "ALL:@STRENGTH") == 0) {
aflog(LOG_T_INIT, LOG_I_CRIT,
"Setting cipher list failed... exiting");