From aa80f63b4ab19101cbdc376f7e0613ed410fee11 Mon Sep 17 00:00:00 2001 From: Bernhard Miklautz Date: Tue, 12 Jan 2016 17:43:14 +0100 Subject: [PATCH] tls: enable tls 1+ Currently TLS version 1.0 is used implicitly by using the TLSv1_method. To be able to also use TLS 1.1 and later use SSLv23_client_method instead. To make sure SSLv2 or SSLv3 isn't used disable them. --- libfreerdp/crypto/tls.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libfreerdp/crypto/tls.c b/libfreerdp/crypto/tls.c index 63ff9b4a8..90de48b2f 100644 --- a/libfreerdp/crypto/tls.c +++ b/libfreerdp/crypto/tls.c @@ -798,7 +798,13 @@ int tls_connect(rdpTls* tls, BIO* underlying) */ options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; - if (!tls_prepare(tls, underlying, TLSv1_client_method(), options, TRUE)) + /** + * disable SSLv2 and SSLv3 + */ + options |= SSL_OP_NO_SSLv2; + options |= SSL_OP_NO_SSLv3; + + if (!tls_prepare(tls, underlying, SSLv23_client_method(), options, TRUE)) return FALSE; return tls_do_handshake(tls, TRUE);