From fc04c7ac1f50aa5c147af5c0f8cd4a68b9e37990 Mon Sep 17 00:00:00 2001
From: Joshua Judson Rosen
Date: Mon, 20 Oct 2014 00:31:09 -0400
Subject: afserver: avoid requiring a specific SSL protocol version

Trust the clients to negotiate the latest/best protocol version they can.

This should generally improve security over time (as OpenSSL improves
and implements improved protocols) without having the APF codebase
or server/client deployments need to chase latest OpenSSL API additions,
causing portability problems, or breaking client deployments that
are hard to upgrade.
---
 src/afserver.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/afserver.c b/src/afserver.c
index f509404..4c00d26 100644
--- a/src/afserver.c
+++ b/src/afserver.c
@@ -515,8 +515,17 @@ main(int argc, char **argv)
 	maxfdp1 = 0;
 	
 	SSL_library_init();
-	method = SSLv3_server_method();
+
+        /* Trust the clients to use whatever the latest/best SSL/TLS protocol
+           they can. This should generally mean that security automatically
+           improves as the server and client deployments upgrade to later
+           OpenSSL releases--without breaking older client deployments
+           that, for whatever reason, can't be immediately upgraded to
+           the latest APF/OpenSSL versions used on the server.
+        */
+	method = SSLv23_server_method();
 	ctx = SSL_CTX_new(method);
+
 	if (SSL_CTX_set_cipher_list(ctx, "ALL:@STRENGTH") == 0) {
 		aflog(LOG_T_INIT, LOG_I_CRIT,
         "Setting ciphers list failed... exiting");
-- 
cgit v1.1