@@ -85,6 +85,8 @@ struct tls_config {
#define TLS_CONN_DISABLE_SESSION_TICKET BIT(2)
#define TLS_CONN_REQUEST_OCSP BIT(3)
#define TLS_CONN_REQUIRE_OCSP BIT(4)
+#define TLS_CONN_DISABLE_TLSv1_1 BIT(5)
+#define TLS_CONN_DISABLE_TLSv1_2 BIT(6)
/**
* struct tls_connection_params - Parameters for TLS connection
@@ -3182,6 +3182,15 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
#endif /* SSL_clear_options */
#endif /* SSL_OP_NO_TICKET */
+ if (params->flags & TLS_CONN_DISABLE_TLSv1_1)
+ SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_1);
+ else
+ SSL_clear_options(conn->ssl, SSL_OP_NO_TLSv1_1);
+ if (params->flags & TLS_CONN_DISABLE_TLSv1_2)
+ SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_2);
+ else
+ SSL_clear_options(conn->ssl, SSL_OP_NO_TLSv1_2);
+
#ifdef HAVE_OCSP
if (params->flags & TLS_CONN_REQUEST_OCSP) {
SSL_CTX *ssl_ctx = tls_ctx;
@@ -64,6 +64,14 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
if (os_strstr(txt, "tls_disable_session_ticket=0"))
params->flags &= ~TLS_CONN_DISABLE_SESSION_TICKET;
+ if (os_strstr(txt, "tls_disable_tlsv1_1=1"))
+ params->flags |= TLS_CONN_DISABLE_TLSv1_1;
+ if (os_strstr(txt, "tls_disable_tlsv1_1=0"))
+ params->flags &= ~TLS_CONN_DISABLE_TLSv1_1;
+ if (os_strstr(txt, "tls_disable_tlsv1_2=1"))
+ params->flags |= TLS_CONN_DISABLE_TLSv1_2;
+ if (os_strstr(txt, "tls_disable_tlsv1_2=0"))
+ params->flags &= ~TLS_CONN_DISABLE_TLSv1_2;
}
Change-Id: I5c23b6f7ea07719829622e6661807ca53da5b068 Signed-off-by: Dmitry Shmidt <dimitrysh@google.com> --- src/crypto/tls.h | 2 ++ src/crypto/tls_openssl.c | 9 +++++++++ src/eap_peer/eap_tls_common.c | 8 ++++++++ 3 files changed, 19 insertions(+)