From cf985748985e1002f3fe0ac1ddd37e80c45c8435 Mon Sep 17 00:00:00 2001
From: Philipp Marek <philipp@marek.priv.at>
Date: Tue, 11 Dec 2018 14:26:24 +0100
Subject: [PATCH] Request TLS v1.2 at minimum.

See issue 34[1] for the discussion.
Doc change to follow.

Ad 1: https://github.com/cl-plus-ssl/cl-plus-ssl/issues/34
---
 src/context.lisp | 13 +++++++++++++
 src/ffi.lisp     |  9 +++++++++
 2 files changed, 22 insertions(+)

diff --git a/src/context.lisp b/src/context.lisp
index 2738485..ab41984 100644
--- a/src/context.lisp
+++ b/src/context.lisp
@@ -89,6 +89,7 @@
 (defun make-context (&key (method nil method-supplied-p)
                           (disabled-protocols)
                           (options (list +SSL-OP-ALL+))
+                          (min-proto-version +TLS1-2-VERSION+)
                           (session-cache-mode +ssl-sess-cache-server+)
                           (verify-location :default)
                           (verify-depth 100)
@@ -110,6 +111,18 @@
                             (declare (ignore _))
                             (ssl-ctx-free ctx))))
       (ssl-ctx-set-options ctx (apply #'logior (append disabled-protocols options)))
+      ;; Older OpenSSL versions might not have this SSL_ctrl call.
+      ;; Having them error out is a sane default - it's better than to keep
+      ;; on running with insecure values.
+      ;; People that _have_ to use much too old OpenSSL versions will
+      ;; have to call MAKE-CONTEXT with :MIN-PROTO-VERSION nil.
+      ;;
+      ;; As an aside: OpenSSL had the "SSL_OP_NO_TLSv1_2" constant since
+      ;;   7409d7ad517    2011-04-29 22:56:51 +0000
+      ;; so requiring a "new"er OpenSSL to match CL+SSL's defauls shouldn't be a problem.
+      (if min-proto-version
+        (if (zerop (ssl-ctx-set-min-proto-version ctx min-proto-version))
+          (error "Couldn't set minimum SSL protocol version!")))
       (ssl-ctx-set-session-cache-mode ctx session-cache-mode)
       (ssl-ctx-set-verify-location ctx verify-location)
       (ssl-ctx-set-verify-depth ctx verify-depth)
diff --git a/src/ffi.lisp b/src/ffi.lisp
index 444ab81..480b32b 100644
--- a/src/ffi.lisp
+++ b/src/ffi.lisp
@@ -1030,3 +1030,12 @@ context and in particular the loaded certificate chain."
   (setf *ssl-global-method* nil)
   (setf *tmp-rsa-key-512* nil)
   (setf *tmp-rsa-key-1024* nil))
+
+
+
+(defconstant +TLS1-VERSION+   #x0301)
+(defconstant +TLS1-1-VERSION+ #x0302)
+(defconstant +TLS1-2-VERSION+ #x0303)
+
+(defun ssl-ctx-set-min-proto-version (ctx version)
+  (ssl-ctx-ctrl ctx 123 version (cffi:null-pointer)))