From 91a72baa658628354bd7adba45fb6071356898bd Mon Sep 17 00:00:00 2001 From: Joshua Judson Rosen Date: Mon, 20 Oct 2014 00:31:21 -0400 Subject: afclient: use whatever version of TLS (or better) we can. Refuse to use pre-TLS SSL, since now SSLv3 has been broken by POODLE attack. --- src/afclient.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afclient.c b/src/afclient.c index 5a823eb..9eaee7f 100644 --- a/src/afclient.c +++ b/src/afclient.c @@ -673,8 +673,17 @@ main(int argc, char **argv) if (ClientRealm_get_clientMode(pointer) != CLIENTREALM_MODE_REVERSE) { SSL_library_init(); - method = SSLv3_client_method(); + + /* Use the latest TLS version we can: */ + method = SSLv23_client_method(); ctx = SSL_CTX_new(method); + /* Both SSLv2 and SSLv3 are broken--refuse to use them; + this should get us at least some version of TLS, + ideally whatever the best both our OpenSSL library + and the server's OpenSSL library can support: + */ + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + if (SSL_CTX_set_cipher_list(ctx, "ALL:@STRENGTH") == 0) { aflog(LOG_T_INIT, LOG_I_CRIT, "Setting cipher list failed... exiting"); -- cgit v1.1