TLS 1.1 and TLS 1.2 Support - use SSLv23_method() not TLSv1_method()

Jouni Malinen j
Sun Nov 16 07:38:46 PST 2014


On Sun, Nov 16, 2014 at 03:09:58PM +0000, Nick Lowe wrote:
> In struct tls_connection * tls_connection_init(void *ssl_ctx) { ... }, there is:
> 
> options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE;
> 
> When I was grepping away through the source, it was this that made me
> think it wasn't needed.

Ah, yes, that function should indeed get used for each instance of SSL
object initialization, so the changes to the context values would
probably not have been needed (not that they do any harm). This per-SSL
object code is from 2004, but I'm not sure why exactly that was added
initially since TLSv1_method() was used then. Anyway, this is just an
unnecessary, duplicated disabling of the old protocol versions.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list