From 4f4d692321384b4d2fb1ceeadbcf4e03d64cf92d Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Wed, 10 Feb 2021 20:15:54 +0900
Subject: New option ssl_min_version for OpenSSL 1.1

---
 rc.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'rc.c')

diff --git a/rc.c b/rc.c
index 521e830..f2c4021 100644
--- a/rc.c
+++ b/rc.c
@@ -205,6 +205,9 @@ static int OptionEncode = FALSE;
 #define CMT_SSL_CA_FILE N_("File consisting of PEM encoded certificates of CAs")
 #endif				/* USE_SSL_VERIFY */
 #define CMT_SSL_FORBID_METHOD N_("List of forbidden SSL methods (2: SSLv2, 3: SSLv3, t: TLSv1.0, 5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3)")
+#ifdef SSL_CTX_set_min_proto_version
+#define CMT_SSL_MIN_VERSION N_("Minimum SSL version (TLSv1.0, TLSv1.1, TLSv1.2, or TLSv1.3)")
+#endif
 #define CMT_SSL_CIPHER N_("SSL ciphers for TLSv1.2 and below (e.g. DEFAULT:@SECLEVEL=2)")
 #endif				/* USE_SSL */
 #ifdef USE_COOKIE
@@ -613,6 +616,10 @@ struct param_ptr params6[] = {
 struct param_ptr params7[] = {
     {"ssl_forbid_method", P_STRING, PI_TEXT, (void *)&ssl_forbid_method,
      CMT_SSL_FORBID_METHOD, NULL},
+#ifdef SSL_CTX_set_min_proto_version
+    {"ssl_min_version", P_STRING, PI_TEXT, (void *)&ssl_min_version,
+     CMT_SSL_MIN_VERSION, NULL},
+#endif
     {"ssl_cipher", P_STRING, PI_TEXT, (void *)&ssl_cipher, CMT_SSL_CIPHER,
      NULL},
 #ifdef USE_SSL_VERIFY
-- 
cgit v1.2.3