From 91a72baa658628354bd7adba45fb6071356898bd Mon Sep 17 00:00:00 2001
From: Joshua Judson Rosen
Date: Mon, 20 Oct 2014 00:31:21 -0400
Subject: afclient: use whatever version of TLS (or better) we can.

Refuse to use pre-TLS SSL, since now SSLv3 has been broken by POODLE attack.
---
 src/afclient.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/afclient.c b/src/afclient.c
index 5a823eb..9eaee7f 100644
--- a/src/afclient.c
+++ b/src/afclient.c
@@ -673,8 +673,17 @@ main(int argc, char **argv)
   
   if (ClientRealm_get_clientMode(pointer) != CLIENTREALM_MODE_REVERSE) {
     SSL_library_init();
-    method = SSLv3_client_method();
+
+    /* Use the latest TLS version we can: */
+    method = SSLv23_client_method();
     ctx = SSL_CTX_new(method);
+    /* Both SSLv2 and SSLv3 are broken--refuse to use them;
+       this should get us at least some version of TLS,
+       ideally whatever the best both our OpenSSL library
+       and the server's OpenSSL library can support:
+    */
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+
     if (SSL_CTX_set_cipher_list(ctx, "ALL:@STRENGTH") == 0) {
       aflog(LOG_T_INIT, LOG_I_CRIT,
           "Setting cipher list failed... exiting");
-- 
cgit v1.1