Hi, I see various things like: typedef enum pj_ssl_sock_proto { PJ_SSL_SOCK_PROTO_DEFAULT, /**< Default protocol of backend. */ PJ_SSL_SOCK_PROTO_TLS1, /**< TLSv1.0 protocol. */ PJ_SSL_SOCK_PROTO_SSL3, /**< SSLv3.0 protocol. */ PJ_SSL_SOCK_PROTO_SSL23, /**< SSLv3.0 but can roll back to SSLv2.0. */ PJ_SSL_SOCK_PROTO_SSL2, /**< SSLv2.0 protocol. */ PJ_SSL_SOCK_PROTO_DTLS1 /**< DTLSv1.0 protocol. */ } pj_ssl_sock_proto;
At least that description for PJ_SSL_SOCK_PROTO_SSL23 is wrong. It supports more protocols, including things like TLS 1.2. It's used in this code: /* Determine SSL method to use */ switch (ssock->param.proto) { case PJ_SSL_SOCK_PROTO_DEFAULT: case PJ_SSL_SOCK_PROTO_TLS1: ssl_method = (SSL_METHOD*)TLSv1_method(); break; #ifndef OPENSSL_NO_SSL2 case PJ_SSL_SOCK_PROTO_SSL2: ssl_method = (SSL_METHOD*)SSLv2_method(); break; #endif case PJ_SSL_SOCK_PROTO_SSL3: ssl_method = (SSL_METHOD*)SSLv3_method(); break; case PJ_SSL_SOCK_PROTO_SSL23: ssl_method = (SSL_METHOD*)SSLv23_method(); break; //case PJ_SSL_SOCK_PROTO_DTLS1: //ssl_method = (SSL_METHOD*)DTLSv1_method(); //break; default: return PJ_EINVAL; } So this seems to mean the default only supports TLS 1.0, and not newer protocols like TLS 1.2. I recommend you remove almost all of this. You should only use the SSLv23_* method and the DTLS_*. Those are the only methods that support multiple versions. If you have a need to restrict the supported protocols please use SSL_(CTX_)_set_options with something like SSL_OP_NO_SSLv3. There is also code like this: meth = (SSL_METHOD*)SSLv23_server_method(); if (!meth) meth = (SSL_METHOD*)TLSv1_server_method(); if (!meth) meth = (SSL_METHOD*)SSLv3_server_method(); #ifndef OPENSSL_NO_SSL2 if (!meth) meth = (SSL_METHOD*)SSLv2_server_method(); #endif This doesn't make any sense. They will all always succeed, and you only want the first one anyway. Kurt