From 4f4d692321384b4d2fb1ceeadbcf4e03d64cf92d Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Wed, 10 Feb 2021 20:15:54 +0900
Subject: New option ssl_min_version for OpenSSL 1.1

---
 url.c | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

(limited to 'url.c')

diff --git a/url.c b/url.c
index c7eeb16..9e67e06 100644
--- a/url.c
+++ b/url.c
@@ -293,6 +293,38 @@ init_PRNG()
 }
 #endif				/* SSLEAY_VERSION_NUMBER >= 0x00905100 */
 
+#ifdef SSL_CTX_set_min_proto_version
+static int
+str_to_ssl_version(const char *name)
+{
+#ifdef TLS1_3_VERSION
+    if (!strcasecmp(name, "TLSv1.3"))
+	return TLS1_3_VERSION;
+#endif
+#ifdef TLS1_2_VERSION
+    if (!strcasecmp(name, "TLSv1.2"))
+	return TLS1_2_VERSION;
+#endif
+#ifdef TLS1_1_VERSION
+    if (!strcasecmp(name, "TLSv1.1"))
+	return TLS1_1_VERSION;
+#endif
+    if (!strcasecmp(name, "TLSv1.0"))
+	return TLS1_VERSION;
+    if (!strcasecmp(name, "TLSv1"))
+	return TLS1_VERSION;
+    if (!strcasecmp(name, "SSLv3.0"))
+	return SSL3_VERSION;
+    if (!strcasecmp(name, "SSLv3"))
+	return SSL3_VERSION;
+    if (!strcasecmp(name, "SSLv2.0"))
+	return SSL2_VERSION;
+    if (!strcasecmp(name, "SSLv2"))
+	return SSL2_VERSION;
+    return 0;
+}
+#endif				/* SSL_CTX_set_min_proto_version */
+
 static SSL *
 openSSLHandle(int sock, char *hostname, char **p_cert)
 {
@@ -336,6 +368,17 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
 #endif
 	if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method())))
 	    goto eend;
+#ifdef SSL_CTX_set_min_proto_version
+	if (ssl_min_version && *ssl_min_version != '\0') {
+	    int sslver;
+	    sslver = str_to_ssl_version(ssl_min_version);
+	    if (sslver <= 0
+		|| !SSL_CTX_set_min_proto_version(ssl_ctx, sslver)) {
+		free_ssl_ctx();
+		goto eend;
+	    }
+	}
+#endif
 	if (ssl_cipher && *ssl_cipher != '\0')
 	    if (!SSL_CTX_set_cipher_list(ssl_ctx, ssl_cipher)) {
 		free_ssl_ctx();
-- 
cgit v1.2.3