Their time has long since past, and they should not be used.
This change restricts ssl to versions 1.2 and 1.3, and changes
the regression tests to understand we no longer speak the legacy
protocols.
For the moment the magical "golden" byte for byte comparison
tests of raw handshake values are disabled util jsing fixes them.
ok jsing@ tb@
-/* $OpenBSD: s3_lib.c,v 1.244 2023/05/26 13:44:05 tb Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.245 2023/07/02 17:21:32 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
s->s3->in_read_app_data = 0;
s->packet_length = 0;
- s->version = TLS1_VERSION;
+ s->version = TLS1_2_VERSION;
s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT);
}
-/* $OpenBSD: ssl_versions.c,v 1.26 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.27 2023/07/02 17:21:32 beck Exp $ */
/*
* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
*
options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2;
}
- if ((options & SSL_OP_NO_TLSv1) == 0)
- min_version = TLS1_VERSION;
- else if ((options & SSL_OP_NO_TLSv1_1) == 0)
- min_version = TLS1_1_VERSION;
- else if ((options & SSL_OP_NO_TLSv1_2) == 0)
+ if ((options & SSL_OP_NO_TLSv1_2) == 0)
min_version = TLS1_2_VERSION;
else if ((options & SSL_OP_NO_TLSv1_3) == 0)
min_version = TLS1_3_VERSION;
if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION)
max_version = TLS1_2_VERSION;
if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
- max_version = TLS1_1_VERSION;
- if ((options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION)
- max_version = TLS1_VERSION;
- if ((options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION)
max_version = 0;
/* Everything has been disabled... */
-# $OpenBSD: Makefile,v 1.51 2022/11/05 21:58:24 jsing Exp $
+# $OpenBSD: Makefile,v 1.52 2023/07/02 17:21:32 beck Exp $
SUBDIR += api
SUBDIR += asn1
SUBDIR += buffer
SUBDIR += bytestring
SUBDIR += ciphers
-SUBDIR += client
+#SUBDIR += client
SUBDIR += dtls
SUBDIR += exporter
SUBDIR += handshake
SUBDIR += quic
SUBDIR += record
SUBDIR += record_layer
-SUBDIR += server
+#SUBDIR += server
SUBDIR += ssl
SUBDIR += tls
SUBDIR += tlsext
-# $OpenBSD: Makefile,v 1.6 2023/04/19 15:34:23 tb Exp $
+# $OpenBSD: Makefile,v 1.7 2023/07/02 17:21:32 beck Exp $
# Connect a client to a server. Both can be current libressl, or
# openssl 1.1 or openssl 3.0. Pin client or server to a fixed TLS
LIBRARIES += openssl30
.endif
-VERSIONS = any TLS1 TLS1_1 TLS1_2 TLS1_3
+VERSIONS = any TLS1_2 TLS1_3
.for cver in ${VERSIONS}
.for sver in ${VERSIONS}
-/* $OpenBSD: ssltest.c,v 1.39 2023/04/15 16:50:05 tb Exp $ */
+/* $OpenBSD: ssltest.c,v 1.40 2023/07/02 17:21:32 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
fprintf(stderr, " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
fprintf(stderr, " -no_dhe - disable DHE\n");
fprintf(stderr, " -no_ecdhe - disable ECDHE\n");
- fprintf(stderr, " -dtls1 - use DTLSv1\n");
+ fprintf(stderr, " -dtls1_2 - use DTLSv1.2\n");
fprintf(stderr, " -tls1 - use TLSv1\n");
fprintf(stderr, " -tls1_2 - use TLSv1.2\n");
fprintf(stderr, " -CApath arg - PEM format directory of CA's\n");
int badop = 0;
int bio_pair = 0;
int force = 0;
- int tls1 = 0, tls1_2 = 0, dtls1 = 0, ret = 1;
+ int tls1 = 0, tls1_2 = 0, dtls1_2 = 0, ret = 1;
int client_auth = 0;
int server_auth = 0, i;
char *app_verify_arg = "Test Callback Argument";
no_dhe = 1;
else if (strcmp(*argv, "-no_ecdhe") == 0)
no_ecdhe = 1;
- else if (strcmp(*argv, "-dtls1") == 0)
- dtls1 = 1;
+ else if (strcmp(*argv, "-dtls1_2") == 0)
+ dtls1_2 = 1;
else if (strcmp(*argv, "-tls1") == 0)
tls1 = 1;
else if (strcmp(*argv, "-tls1_2") == 0)
goto end;
}
- if (!dtls1 && !tls1 && !tls1_2 && number > 1 && !reuse && !force) {
+ if (!dtls1_2 && !tls1 && !tls1_2 && number > 1 && !reuse && !force) {
fprintf(stderr,
"This case cannot work. Use -f to perform "
"the test anyway (and\n-d to see what happens), "
SSL_library_init();
SSL_load_error_strings();
- if (dtls1)
- meth = DTLSv1_method();
+ if (dtls1_2)
+ meth = DTLSv1_2_method();
else if (tls1)
meth = TLSv1_method();
else if (tls1_2)
if $openssl no-dh; then
echo skipping anonymous DH tests
else
- echo test tls1 with 1024bit anonymous DH, multiple handshakes
- $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
+ echo skipping tls1 tests.
fi
#if $openssl no-rsa; then
# DTLS tests
#
-echo test dtlsv1
-$ssltest -dtls1 $extra || exit 1
+$ssltest -dtls1_2 $extra || exit 1
-echo test dtlsv1 with server authentication
-$ssltest -dtls1 -server_auth $CA $extra || exit 1
+echo test dtlsv1_2 with server authentication
+$ssltest -dtls1_2 -server_auth $CA $extra || exit 1
-echo test dtlsv1 with client authentication
-$ssltest -dtls1 -client_auth $CA $extra || exit 1
+echo test dtlsv1_2 with client authentication
+$ssltest -dtls1_2 -client_auth $CA $extra || exit 1
-echo test dtlsv1 with both client and server authentication
-$ssltest -dtls1 -server_auth -client_auth $CA $extra || exit 1
+echo test dtlsv1_2 with both client and server authentication
+$ssltest -dtls1_2 -server_auth -client_auth $CA $extra || exit 1
echo "Testing DTLS ciphersuites"
for protocol in SSLv3; do
awk "/ $protocol / { print \\$1 }" |
grep -v RC4`; do
echo "Testing $cipher"
- $ssltest -cipher $cipher -dtls1
+ $ssltest -cipher $cipher -dtls1_2
if [ $? -ne 0 ] ; then
echo "Failed $cipher"
exit 1
# ALPN tests
#
echo "Testing ALPN..."
-$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server bar || exit 1
-$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server foo \
+$ssltest -bio_pair -alpn_client foo -alpn_server bar || exit 1
+$ssltest -bio_pair -alpn_client foo -alpn_server foo \
-alpn_expected foo || exit 1
-$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo \
+$ssltest -bio_pair -alpn_client foo,bar -alpn_server foo \
-alpn_expected foo || exit 1
-$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo \
+$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo \
-alpn_expected foo || exit 1
-$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar \
+$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo,bar \
-alpn_expected foo || exit 1
-$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo \
+$ssltest -bio_pair -alpn_client bar,foo -alpn_server bar,foo \
-alpn_expected bar || exit 1
-$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo \
+$ssltest -bio_pair -alpn_client foo,bar -alpn_server bar,foo \
-alpn_expected bar || exit 1
-$ssltest -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo || exit 1
+$ssltest -bio_pair -alpn_client baz -alpn_server bar,foo || exit 1
-/* $OpenBSD: tlstest.c,v 1.1 2021/10/23 14:34:10 jsing Exp $ */
+/* $OpenBSD: tlstest.c,v 1.2 2023/07/02 17:21:33 beck Exp $ */
/*
* Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
*
.desc = "Default client and TLSv1.2 server",
.server_max_version = TLS1_2_VERSION,
},
- {
- .desc = "Default client and TLSv1.1 server",
- .server_max_version = TLS1_1_VERSION,
- },
- {
- .desc = "Default client and TLSv1.0 server",
- .server_max_version = TLS1_VERSION,
- },
{
.desc = "Default client and default server with ECDHE KEX",
.server_ciphers = "ECDHE-RSA-AES128-SHA",
.server_max_version = TLS1_2_VERSION,
.server_ciphers = "ECDHE-RSA-AES128-SHA",
},
- {
- .desc = "Default client and TLSv1.1 server with ECDHE KEX",
- .server_max_version = TLS1_1_VERSION,
- .server_ciphers = "ECDHE-RSA-AES128-SHA",
- },
- {
- .desc = "Default client and TLSv1.0 server with ECDHE KEX",
- .server_max_version = TLS1_VERSION,
- .server_ciphers = "ECDHE-RSA-AES128-SHA",
- },
{
.desc = "Default client and default server with DHE KEX",
.server_ciphers = "DHE-RSA-AES128-SHA",
.server_max_version = TLS1_2_VERSION,
.server_ciphers = "DHE-RSA-AES128-SHA",
},
- {
- .desc = "Default client and TLSv1.1 server with DHE KEX",
- .server_max_version = TLS1_1_VERSION,
- .server_ciphers = "DHE-RSA-AES128-SHA",
- },
- {
- .desc = "Default client and TLSv1.0 server with DHE KEX",
- .server_max_version = TLS1_VERSION,
- .server_ciphers = "DHE-RSA-AES128-SHA",
- },
{
.desc = "Default client and default server with RSA KEX",
.server_ciphers = "AES128-SHA",
.server_max_version = TLS1_2_VERSION,
.server_ciphers = "AES128-SHA",
},
- {
- .desc = "Default client and TLSv1.1 server with RSA KEX",
- .server_max_version = TLS1_1_VERSION,
- .server_ciphers = "AES128-SHA",
- },
- {
- .desc = "Default client and TLSv1.0 server with RSA KEX",
- .server_max_version = TLS1_VERSION,
- .server_ciphers = "AES128-SHA",
- },
{
.desc = "TLSv1.2 client and default server",
.client_max_version = TLS1_2_VERSION,
},
- {
- .desc = "TLSv1.1 client and default server",
- .client_max_version = TLS1_1_VERSION,
- },
- {
- .desc = "TLSv1.0 client and default server",
- .client_max_version = TLS1_VERSION,
- },
{
.desc = "TLSv1.2 client and default server with ECDHE KEX",
.client_max_version = TLS1_2_VERSION,
.client_ciphers = "ECDHE-RSA-AES128-SHA",
},
- {
- .desc = "TLSv1.1 client and default server with ECDHE KEX",
- .client_max_version = TLS1_1_VERSION,
- .client_ciphers = "ECDHE-RSA-AES128-SHA",
- },
- {
- .desc = "TLSv1.0 client and default server with ECDHE KEX",
- .client_max_version = TLS1_VERSION,
- .client_ciphers = "ECDHE-RSA-AES128-SHA",
- },
{
.desc = "TLSv1.2 client and default server with DHE KEX",
.server_max_version = TLS1_2_VERSION,
.client_ciphers = "DHE-RSA-AES128-SHA",
},
- {
- .desc = "TLSv1.1 client and default server with DHE KEX",
- .client_max_version = TLS1_1_VERSION,
- .client_ciphers = "DHE-RSA-AES128-SHA",
- },
- {
- .desc = "TLSv1.0 client and default server with DHE KEX",
- .client_max_version = TLS1_VERSION,
- .client_ciphers = "DHE-RSA-AES128-SHA",
- },
{
.desc = "TLSv1.2 client and default server with RSA KEX",
.client_max_version = TLS1_2_VERSION,
.client_ciphers = "AES128-SHA",
},
- {
- .desc = "TLSv1.1 client and default server with RSA KEX",
- .client_max_version = TLS1_1_VERSION,
- .client_ciphers = "AES128-SHA",
- },
- {
- .desc = "TLSv1.0 client and default server with RSA KEX",
- .client_max_version = TLS1_VERSION,
- .client_ciphers = "AES128-SHA",
- },
};
#define N_TLS_TESTS (sizeof(tls_tests) / sizeof(*tls_tests))
-# $OpenBSD: tlsfuzzer.py,v 1.49 2023/06/10 05:00:58 tb Exp $
+# $OpenBSD: tlsfuzzer.py,v 1.50 2023/07/02 17:21:33 beck Exp $
#
# Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
#
tls12_exclude_legacy_protocols = [
# all these have BIO_read timeouts against TLSv1.3
"-e", "Protocol (3, 0)",
+ "-e", "Protocol (3, 1)",
+ "-e", "Protocol (3, 2)",
"-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
# the following only fail with TLSv1.3
"-e", "Protocol (3, 1) in SSLv2 compatible ClientHello",
"-e", "Protocol (3, 1) with x448 group",
"-e", "Protocol (3, 2) with x448 group",
"-e", "Protocol (3, 3) with x448 group",
+ # These don't work without TLSv1.0 and TLSv1.1
+ "-e", "Protocol (3, 1) with secp256r1 group",
+ "-e", "Protocol (3, 1) with secp384r1 group",
+ "-e", "Protocol (3, 1) with secp521r1 group",
+ "-e", "Protocol (3, 1) with x25519 group",
+ "-e", "Protocol (3, 2) with secp256r1 group",
+ "-e", "Protocol (3, 2) with secp384r1 group",
+ "-e", "Protocol (3, 2) with secp521r1 group",
+ "-e", "Protocol (3, 2) with x25519 group",
]
tls12_tests = TestGroup("TLSv1.2 tests", [
# Tests that pass as they are.
- Test("test-TLSv1_2-rejected-without-TLSv1_2.py"),
Test("test-aes-gcm-nonces.py"),
- Test("test-chacha20.py"),
Test("test-connection-abort.py"),
Test("test-conversation.py"),
Test("test-cve-2016-2107.py"),
]
),
Test("test-dhe-key-share-random.py", tls12_exclude_legacy_protocols),
- Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.0"]),
+ Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.2"]),
Test(
"test-downgrade-protection.py",
tls12_args = ["--server-max-protocol", "TLSv1.2"],
- tls13_args = ["--server-max-protocol", "TLSv1.3"],
+ tls13_args = [
+ "--server-max-protocol", "TLSv1.3",
+ "-e", "TLS 1.3 downgrade check for Protocol (3, 1)",
+ "-e", "TLS 1.3 downgrade check for Protocol (3, 2)",
+ ]
+ ),
+ Test(
+ "test-fallback-scsv.py",
+ tls13_args = [
+ "--tls-1.3",
+ "-e", "FALLBACK - hello TLSv1.1 - pos 0",
+ "-e", "FALLBACK - hello TLSv1.1 - pos 1",
+ "-e", "FALLBACK - hello TLSv1.1 - pos 2",
+ "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 0",
+ "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 1",
+ "-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 2",
+ "-e", "record TLSv1.1 hello TLSv1.1",
+ "-e", "sanity - TLSv1.1",
+ ]
),
- Test("test-fallback-scsv.py", tls13_args = ["--tls-1.3"] ),
Test("test-invalid-compression-methods.py", [
"-x", "invalid compression methods",
Test("test-sig-algs-renegotiation-resumption.py", ["--sig-algs-drop-ok"]),
Test("test-serverhello-random.py", args = tls12_exclude_legacy_protocols),
+
+ Test("test-chacha20.py", [ "-e", "Chacha20 in TLS1.1" ]),
])
tls12_slow_tests = TestGroup("slow TLSv1.2 tests", [
# x448 tests need disabling plus x25519 corner cases need sorting out
Test("test-x25519.py"),
+
+ # Needs TLS 1.0 or 1.1
+ Test("test-TLSv1_2-rejected-without-TLSv1_2.py"),
])
tls12_unsupported_tests = TestGroup("TLSv1.2 for unsupported features", [
-/* $OpenBSD: ssl_versions.c,v 1.19 2022/11/26 16:08:57 tb Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.20 2023/07/02 17:21:33 beck Exp $ */
/*
* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
*
.options = 0,
.minver = TLS1_VERSION,
.maxver = TLS1_3_VERSION,
- .want_minver = TLS1_VERSION,
+ .want_minver = TLS1_2_VERSION,
.want_maxver = TLS1_3_VERSION,
},
{
.options = 0,
.minver = TLS1_VERSION,
.maxver = TLS1_2_VERSION,
- .want_minver = TLS1_VERSION,
+ .want_minver = TLS1_2_VERSION,
.want_maxver = TLS1_2_VERSION,
},
{
.options = SSL_OP_NO_TLSv1,
.minver = TLS1_VERSION,
.maxver = TLS1_2_VERSION,
- .want_minver = TLS1_1_VERSION,
+ .want_minver = TLS1_2_VERSION,
.want_maxver = TLS1_2_VERSION,
},
{
.options = SSL_OP_NO_TLSv1_3,
.minver = TLS1_VERSION,
.maxver = TLS1_3_VERSION,
- .want_minver = TLS1_VERSION,
+ .want_minver = TLS1_2_VERSION,
.want_maxver = TLS1_2_VERSION,
},
{
.options = SSL_OP_NO_TLSv1_2,
.minver = TLS1_VERSION,
.maxver = TLS1_2_VERSION,
- .want_minver = TLS1_VERSION,
- .want_maxver = TLS1_1_VERSION,
+ .want_minver = 0,
+ .want_maxver = 0,
},
{
.options = SSL_OP_NO_TLSv1_1,
.minver = TLS1_VERSION,
.maxver = TLS1_2_VERSION,
- .want_minver = TLS1_VERSION,
- .want_maxver = TLS1_VERSION,
+ .want_minver = TLS1_2_VERSION,
+ .want_maxver = TLS1_2_VERSION,
},
{
.options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1,
.options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2,
.minver = TLS1_VERSION,
.maxver = TLS1_2_VERSION,
- .want_minver = TLS1_VERSION,
- .want_maxver = TLS1_VERSION,
+ .want_minver = 0,
+ .want_maxver = 0,
},
{
.options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2,
.minver = TLS1_VERSION,
.maxver = TLS1_2_VERSION,
- .want_minver = TLS1_1_VERSION,
- .want_maxver = TLS1_1_VERSION,
+ .want_minver = 0,
+ .want_maxver = 0,
},
{
.options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
.options = 0,
.minver = TLS1_VERSION,
.maxver = TLS1_2_VERSION,
- .want_minver = TLS1_VERSION,
+ .want_minver = TLS1_2_VERSION,
.want_maxver = TLS1_2_VERSION,
},
{
.options = 0,
.minver = TLS1_1_VERSION,
.maxver = TLS1_2_VERSION,
- .want_minver = TLS1_1_VERSION,
+ .want_minver = TLS1_2_VERSION,
.want_maxver = TLS1_2_VERSION,
},
{
.options = 0,
.minver = TLS1_VERSION,
.maxver = TLS1_3_VERSION,
- .want_minver = TLS1_VERSION,
+ .want_minver = TLS1_2_VERSION,
.want_maxver = TLS1_3_VERSION,
},
{
.options = 0,
.minver = TLS1_1_VERSION,
.maxver = TLS1_3_VERSION,
- .want_minver = TLS1_1_VERSION,
+ .want_minver = TLS1_2_VERSION,
.want_maxver = TLS1_3_VERSION,
},
{
.options = 0,
.minver = TLS1_VERSION,
.maxver = TLS1_1_VERSION,
- .want_minver = TLS1_VERSION,
- .want_maxver = TLS1_1_VERSION,
+ .want_minver = 0,
+ .want_maxver = 0,
},
{
.options = 0,
.minver = TLS1_VERSION,
.maxver = TLS1_VERSION,
- .want_minver = TLS1_VERSION,
- .want_maxver = TLS1_VERSION,
+ .want_minver = 0,
+ .want_maxver = 0,
},
};
.minver = TLS1_VERSION,
.maxver = TLS1_2_VERSION,
.peerver = TLS1_VERSION,
- .want_maxver = TLS1_VERSION,
+ .want_maxver = 0,
},
{
.ssl_method = TLS_method,
.minver = TLS1_VERSION,
.maxver = TLS1_2_VERSION,
.peerver = TLS1_1_VERSION,
- .want_maxver = TLS1_1_VERSION,
+ .want_maxver = 0,
},
{
.ssl_method = TLS_method,
.minver = TLS1_VERSION,
.maxver = TLS1_2_VERSION,
.peerver = TLS1_2_VERSION,
- .want_maxver = TLS1_1_VERSION,
+ .want_maxver = 0,
},
{
.ssl_method = TLS_method,
.minver = TLS1_VERSION,
.maxver = TLS1_2_VERSION,
.peerver = TLS1_2_VERSION,
- .want_maxver = TLS1_VERSION,
+ .want_maxver = 0,
},
{
.ssl_method = TLS_method,
.minver = TLS1_VERSION,
.maxver = TLS1_2_VERSION,
.peerver = TLS1_1_VERSION,
- .want_maxver = TLS1_1_VERSION,
+ .want_maxver = 0,
},
{
.ssl_method = TLS_method,
.minver = TLS1_VERSION,
.maxver = TLS1_2_VERSION,
.peerver = TLS1_1_VERSION,
- .want_maxver = TLS1_VERSION,
+ .want_maxver = 0,
},
{
.ssl_method = TLS_method,
.minver = TLS1_VERSION,
.maxver = TLS1_1_VERSION,
.peerver = TLS1_2_VERSION,
- .want_maxver = TLS1_1_VERSION,
+ .want_maxver = 0,
},
{
.ssl_method = TLS_method,
.minver = TLS1_VERSION,
.maxver = TLS1_VERSION,
.peerver = TLS1_2_VERSION,
- .want_maxver = TLS1_VERSION,
+ .want_maxver = 0,
},
{
.ssl_method = TLSv1_method,
.minver = TLS1_VERSION,
.maxver = TLS1_2_VERSION,
.peerver = TLS1_VERSION,
- .want_maxver = TLS1_VERSION,
+ .want_maxver = 0,
},
{
.ssl_method = TLSv1_method,
.minver = TLS1_VERSION,
.maxver = TLS1_2_VERSION,
.peerver = TLS1_1_VERSION,
- .want_maxver = TLS1_1_VERSION,
+ .want_maxver = 0,
},
{
.ssl_method = DTLS_method,
.minver = TLS1_1_VERSION,
.maxver = TLS1_2_VERSION,
.peerver = DTLS1_VERSION,
- .want_maxver = DTLS1_VERSION,
+ .want_maxver = 0,
},
{
.ssl_method = DTLS_method,
.minver = TLS1_1_VERSION,
.maxver = TLS1_1_VERSION,
.peerver = DTLS1_2_VERSION,
- .want_maxver = DTLS1_VERSION,
+ .want_maxver = 0,
},
{
.ssl_method = DTLSv1_2_method,
.minver = TLS1_1_VERSION,
.maxver = TLS1_2_VERSION,
.peerver = DTLS1_2_VERSION,
- .want_maxver = DTLS1_VERSION,
+ .want_maxver = 0,
},
};
projects / openbsd / commitdiff