OpenSSL: Add option to disable use of TLSv1.0

The new phase1 config parameter value tls_disable_tlsv1_0=1 can now be
used to disable use of TLSv1.0 for a network configuration. This can be
used to force a newer TLS version to be used. For example,
phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1" would indicate that
only TLS v1.2 is accepted.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index 0ea3687..26f0e36 100644 (file)
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -93,6 +93,7 @@ struct tls_config {
 #define TLS_CONN_DISABLE_TLSv1_1 BIT(5)
 #define TLS_CONN_DISABLE_TLSv1_2 BIT(6)
 #define TLS_CONN_EAP_FAST BIT(7)
+#define TLS_CONN_DISABLE_TLSv1_0 BIT(8)
 
 /**
  * struct tls_connection_params - Parameters for TLS connection

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 17a63cf..fb5af90 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3544,6 +3544,12 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 #endif /* SSL_clear_options */
 #endif /*  SSL_OP_NO_TICKET */
 
+#ifdef SSL_OP_NO_TLSv1
+       if (params->flags & TLS_CONN_DISABLE_TLSv1_0)
+               SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1);
+       else
+               SSL_clear_options(conn->ssl, SSL_OP_NO_TLSv1);
+#endif /* SSL_OP_NO_TLSv1 */
 #ifdef SSL_OP_NO_TLSv1_1
        if (params->flags & TLS_CONN_DISABLE_TLSv1_1)
                SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_1);

diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index fef7fdb..2b5a048 100644 (file)
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -68,6 +68,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
                params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
        if (os_strstr(txt, "tls_disable_session_ticket=0"))
                params->flags &= ~TLS_CONN_DISABLE_SESSION_TICKET;
+       if (os_strstr(txt, "tls_disable_tlsv1_0=1"))
+               params->flags |= TLS_CONN_DISABLE_TLSv1_0;
+       if (os_strstr(txt, "tls_disable_tlsv1_0=0"))
+               params->flags &= ~TLS_CONN_DISABLE_TLSv1_0;
        if (os_strstr(txt, "tls_disable_tlsv1_1=1"))
                params->flags |= TLS_CONN_DISABLE_TLSv1_1;
        if (os_strstr(txt, "tls_disable_tlsv1_1=0"))

diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index d380965..b93d3ff 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -986,6 +986,7 @@ fast_reauth=1
 #      EAP workarounds are disabled with eap_workaround=0.
 #      For EAP-FAST, this must be set to 0 (or left unconfigured for the
 #      default value to be used automatically).
+# tls_disable_tlsv1_0=1 - disable use of TLSv1.0
 # tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers
 #      that have issues interoperating with updated TLS version)
 # tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers