File no_tls11_config.patch of Package sblim-sfcb
Index: sblim-sfcb-1.4.9/control.c
===================================================================
--- sblim-sfcb-1.4.9.orig/control.c
+++ sblim-sfcb-1.4.9/control.c
@@ -177,6 +177,9 @@ static Control init[] = {
{"sslEcDhCurveName", CTL_STRING, "secp224r1", {0}},
{"sslNoSSLv3", CTL_BOOL, NULL, {.b=0}},
{"sslNoTLSv1", CTL_BOOL, NULL, {.b=0}},
+ {"sslNoTLSv1_1", CTL_BOOL, NULL, {.b=0}},
+ {"sslNoTLSv1_2", CTL_BOOL, NULL, {.b=0}},
+ {"sslNoTLSv1_3", CTL_BOOL, NULL, {.b=0}},
{"enableSslCipherServerPref", CTL_BOOL, NULL, {.b=0}},
{"registrationDir", CTL_STRING, SFCB_STATEDIR "/registration", {0}},
Index: sblim-sfcb-1.4.9/sfcb.cfg.pre.in
===================================================================
--- sblim-sfcb-1.4.9.orig/sfcb.cfg.pre.in
+++ sblim-sfcb-1.4.9/sfcb.cfg.pre.in
@@ -294,6 +294,9 @@ sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STR
## Default is false for both
#sslNoSSLv3: false
#sslNoTLSv1: false
+#sslNoTLSv1_1: false
+#sslNoTLSv1_2: false
+#sslNoTLSv1_3: false
## Optionally configure a DH parameters file for ephemeral key generation.
## See man SSL_CTX_set_tmp_dh_callback(3) for details. The value should be
Index: sblim-sfcb-1.4.9/httpAdapter.c
===================================================================
--- sblim-sfcb-1.4.9.orig/httpAdapter.c
+++ sblim-sfcb-1.4.9/httpAdapter.c
@@ -2089,13 +2089,27 @@ initSSL()
*/
long options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2;
+#ifndef SSL_OP_NO_TLSv1_3
+# define SSL_OP_NO_TLSv1_3 0x20000000U
+#endif
+
if (!getControlBool("sslNoSSLv3", &sslopt) && sslopt)
options |= SSL_OP_NO_SSLv3;
if (!getControlBool("sslNoTLSv1", &sslopt) && sslopt)
options |= SSL_OP_NO_TLSv1;
- _SFCB_TRACE(1, ("--- sslNoSSLv3=%s, sslNoTLSv1=%s",
+ if (!getControlBool("sslNoTLSv1_1", &sslopt) && sslopt)
+ options |= SSL_OP_NO_TLSv1_1;
+ if (!getControlBool("sslNoTLSv1_2", &sslopt) && sslopt)
+ options |= SSL_OP_NO_TLSv1_2;
+ if (!getControlBool("sslNoTLSv1_3", &sslopt) && sslopt)
+ options |= SSL_OP_NO_TLSv1_3;
+ _SFCB_TRACE(1, ("--- sslNoSSLv3=%s, sslNoTLSv1=%s, sslNoTLSv1_1=%s, sslNoTLSv1_2=%s, sslNoTLSv1_3=%s",
(options & SSL_OP_NO_SSLv3 ? "true" : "false"),
- (options & SSL_OP_NO_TLSv1 ? "true" : "false")));
+ (options & SSL_OP_NO_TLSv1 ? "true" : "false"),
+ (options & SSL_OP_NO_TLSv1_1 ? "true" : "false"),
+ (options & SSL_OP_NO_TLSv1_2 ? "true" : "false"),
+ (options & SSL_OP_NO_TLSv1_3 ? "true" : "false")
+ ));
if (!getControlBool("enableSslCipherServerPref", &sslopt) && sslopt) {
_SFCB_TRACE(1, ("--- enableSslCipherServerPref = true"));