>
> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
> index 0b63e26..0785ce4 100644
> --- a/src/openvpn/ssl_openssl.c
> +++ b/src/openvpn/ssl_openssl.c
> @@ -98,10 +98,10 @@ tls_ctx_server_new(struct tls_root_ctx *ctx)
> {
> ASSERT(NULL != ctx);
>
> - ctx->ctx = SSL_CTX_new (SSLv23_server_method ());
> + ctx->ctx = SSL_CTX_new (TLSv1_server_method ());
>
> if (ctx->ctx == NULL)
> - msg (M_SSLERR, "SSL_CTX_new SSLv23_server_method");
> + msg (M_SSLERR, "SSL_CTX_new TLSv1_server_method");
> }
>
> void
> @@ -109,10 +109,10 @@ tls_ctx_client_new(struct tls_root_ctx *ctx)
> {
> ASSERT(NULL != ctx);
>
> - ctx->ctx = SSL_CTX_new (SSLv23_client_method ());
> + ctx->ctx = SSL_CTX_new (TLSv1_client_method ());
>
> if (ctx->ctx == NULL)
> - msg (M_SSLERR, "SSL_CTX_new SSLv23_client_method");
> + msg (M_SSLERR, "SSL_CTX_new TLSv1_client_method");
> }
>
Your patch has the same effect. I effectively disables all TLS 1.1+. The
OpenSSL API names are terribly confusing.
SLv23_client_method will negoiate the highest protocol available and
TLSv1_client_method
will only negoiate TLS 1.0
Arne
