diff --git a/src/context.lisp b/src/context.lisp index 2738485..ab41984 100644 --- a/src/context.lisp +++ b/src/context.lisp @@ -89,6 +89,7 @@ (defun make-context (&key (method nil method-supplied-p) (disabled-protocols) (options (list +SSL-OP-ALL+)) + (min-proto-version +TLS1-2-VERSION+) (session-cache-mode +ssl-sess-cache-server+) (verify-location :default) (verify-depth 100) @@ -110,6 +111,18 @@ (declare (ignore _)) (ssl-ctx-free ctx)))) (ssl-ctx-set-options ctx (apply #'logior (append disabled-protocols options))) + ;; Older OpenSSL versions might not have this SSL_ctrl call. + ;; Having them error out is a sane default - it's better than to keep + ;; on running with insecure values. + ;; People that _have_ to use much too old OpenSSL versions will + ;; have to call MAKE-CONTEXT with :MIN-PROTO-VERSION nil. + ;; + ;; As an aside: OpenSSL had the "SSL_OP_NO_TLSv1_2" constant since + ;; 7409d7ad517 2011-04-29 22:56:51 +0000 + ;; so requiring a "new"er OpenSSL to match CL+SSL's defauls shouldn't be a problem. + (if min-proto-version + (if (zerop (ssl-ctx-set-min-proto-version ctx min-proto-version)) + (error "Couldn't set minimum SSL protocol version!"))) (ssl-ctx-set-session-cache-mode ctx session-cache-mode) (ssl-ctx-set-verify-location ctx verify-location) (ssl-ctx-set-verify-depth ctx verify-depth) diff --git a/src/ffi.lisp b/src/ffi.lisp index b2e217c..a53b243 100644 --- a/src/ffi.lisp +++ b/src/ffi.lisp @@ -1000,3 +1000,12 @@ context and in particular the loaded certificate chain." (setf *ssl-global-method* nil) (setf *tmp-rsa-key-512* nil) (setf *tmp-rsa-key-1024* nil)) + + + +(defconstant +TLS1-VERSION+ #x0301) +(defconstant +TLS1-1-VERSION+ #x0302) +(defconstant +TLS1-2-VERSION+ #x0303) + +(defun ssl-ctx-set-min-proto-version (ctx version) + (ssl-ctx-ctrl ctx 123 version (cffi:null-pointer)))