honor system defaults for TLS version

mariux64 · Oct 4, 2021 · 3b2e356 · 3b2e356
1 parent f4eaf64
commit 3b2e356
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 5 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -6,6 +6,7 @@ unreleased changes
 	- Fix lazy certificate check when connecting to TLS servers
 	- Fix connect is aborted if first host in list has invalid certificate
 	- Fix setstacksize for glibc 2.34 (#91)
+	- Fix system defaults/settings for TLS version not honored
 
 2021-05-28 1.9.0
 	New features:

diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example
@@ -105,6 +105,8 @@ tls default {
     # Optionally require that peer certs have one of the specified policyOIDs
     # policyoid     1.2.3 # this option can be used multiple times
     # policyoid     1.3.4
+	# Require at least TLS1.2, overriding system defaults
+	# TLSVersion TLS1_2:
 }
 
 # If you want one cert for all clients and another for all servers, use

diff --git a/radsecproxy.conf.5.in b/radsecproxy.conf.5.in
@@ -842,6 +842,7 @@ Specify the TLS/DTLS protocol \fIversion\fR to be used.
 Specify the range of allowed protocol versions between \fIminversion\fR and 
 \fImaxversion\fR (inclusive). If either is left out, any version up to, or 
 starting from this version is allowed. E.g. "TLS1_2:" will allow TLSv1.2 or later.
+If omitted, use the system defaults set in openssl.conf
 .br
 Currently supported values are
 .BR SSL3 , TLS1 , TLS1_1 , TLS1_2 , TLS1_3

diff --git a/tlscommon.c b/tlscommon.c
@@ -390,8 +390,10 @@ static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
         /* TLS_method() was introduced in OpenSSL 1.1.0. */
         ctx = SSL_CTX_new(TLS_method());
-        SSL_CTX_set_min_proto_version(ctx, conf->tlsminversion);
-        SSL_CTX_set_max_proto_version(ctx, conf->tlsmaxversion);
+        if (conf->tlsminversion >= 0)
+            SSL_CTX_set_min_proto_version(ctx, conf->tlsminversion);
+        if (conf->tlsmaxversion >= 0)
+            SSL_CTX_set_max_proto_version(ctx, conf->tlsmaxversion);
 #else
         /* No TLS_method(), use SSLv23_method() and disable SSLv2 and SSLv3. */
         ctx = SSL_CTX_new(SSLv23_method());
@@ -408,8 +410,10 @@ static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
         /* DTLS_method() seems to have been introduced in OpenSSL 1.0.2. */
         ctx = SSL_CTX_new(DTLS_method());
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
-        SSL_CTX_set_min_proto_version(ctx, conf->dtlsminversion);
-        SSL_CTX_set_max_proto_version(ctx, conf->dtlsmaxversion);
+        if (conf->dtlsminversion >= 0)
+            SSL_CTX_set_min_proto_version(ctx, conf->dtlsminversion);
+        if (conf->dtlsmaxversion >= 0)
+            SSL_CTX_set_max_proto_version(ctx, conf->dtlsmaxversion);
 #endif
 #else
         ctx = SSL_CTX_new(DTLSv1_method());
@@ -905,7 +909,8 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v
 	conf->cacheexpiry = expiry;
     }
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
-    conf->tlsminversion = TLS1_1_VERSION;
+    /* use -1 as 'not set' value */
+    conf->tlsminversion = conf->tlsmaxversion = conf->dtlsminversion = conf->dtlsmaxversion = -1;
     if (tlsversion) {
         if(!conf_tls_version(tlsversion, &conf->tlsminversion, &conf->tlsmaxversion)) {
             debug(DBG_ERR, "error in block %s, invalid TlsVersion %s", val, tlsversion);