Request TLS v1.2 at minimum.

See issue 34[1] for the discussion. Doc change to follow. Ad 1: cl-plus-ssl#34
phmarek · Jul 31, 2019 · 5cdc0e4 · 5cdc0e4
1 parent 13ec117
commit 5cdc0e4
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/src/context.lisp b/src/context.lisp
@@ -89,6 +89,7 @@
 (defun make-context (&key (method nil method-supplied-p)
                           (disabled-protocols)
                           (options (list +SSL-OP-ALL+))
+                          (min-proto-version +TLS1-2-VERSION+)
                           (session-cache-mode +ssl-sess-cache-server+)
                           (verify-location :default)
                           (verify-depth 100)
@@ -110,6 +111,18 @@
                             (declare (ignore _))
                             (ssl-ctx-free ctx))))
       (ssl-ctx-set-options ctx (apply #'logior (append disabled-protocols options)))
+      ;; Older OpenSSL versions might not have this SSL_ctrl call.
+      ;; Having them error out is a sane default - it's better than to keep
+      ;; on running with insecure values.
+      ;; People that _have_ to use much too old OpenSSL versions will
+      ;; have to call MAKE-CONTEXT with :MIN-PROTO-VERSION nil.
+      ;;
+      ;; As an aside: OpenSSL had the "SSL_OP_NO_TLSv1_2" constant since
+      ;;   7409d7ad517    2011-04-29 22:56:51 +0000
+      ;; so requiring a "new"er OpenSSL to match CL+SSL's defauls shouldn't be a problem.
+      (if min-proto-version
+        (if (zerop (ssl-ctx-set-min-proto-version ctx min-proto-version))
+          (error "Couldn't set minimum SSL protocol version!")))
       (ssl-ctx-set-session-cache-mode ctx session-cache-mode)
       (ssl-ctx-set-verify-location ctx verify-location)
       (ssl-ctx-set-verify-depth ctx verify-depth)

diff --git a/src/ffi.lisp b/src/ffi.lisp
@@ -1000,3 +1000,12 @@ context and in particular the loaded certificate chain."
   (setf *ssl-global-method* nil)
   (setf *tmp-rsa-key-512* nil)
   (setf *tmp-rsa-key-1024* nil))
+
+
+
+(defconstant +TLS1-VERSION+   #x0301)
+(defconstant +TLS1-1-VERSION+ #x0302)
+(defconstant +TLS1-2-VERSION+ #x0303)
+
+(defun ssl-ctx-set-min-proto-version (ctx version)
+  (ssl-ctx-ctrl ctx 123 version (cffi:null-pointer)))