From: Tobias von der Krone Date: Tue, 19 Jan 2016 20:04:59 +0000 (+0100) Subject: Support TLSv1.1 and TLSv1.2 for the cluster transport encryption X-Git-Tag: v2.5.0~606 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1c67bf394cbcc92e103e1c35e4a3b8ee23e8c1bd;p=icinga2 Support TLSv1.1 and TLSv1.2 for the cluster transport encryption From https://wiki.openssl.org/index.php/SSL/TLS_Client: SSLv23_method specifies the protocols used and behavior of the handshake. The method essentially means SSLv2 or above, and includes the TLS protocols. The protocols are further tuned through SSL/TLS options. By using SSLv23_method (and removing the SSL protocols with SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3), then you will use TLS v1.0 and above, including TLS v1.2. You will also use a TLS handshake in the TLS Record. If you use TLSv1_method, then you will only use TLS v1.0. fixes #10988 --- diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp index d34e465c9..e623053bd 100644 --- a/lib/base/tlsutility.cpp +++ b/lib/base/tlsutility.cpp @@ -83,7 +83,9 @@ boost::shared_ptr MakeSSLContext(const String& pubkey, const String& pr InitializeOpenSSL(); - boost::shared_ptr sslContext = boost::shared_ptr(SSL_CTX_new(TLSv1_method()), SSL_CTX_free); + boost::shared_ptr sslContext = boost::shared_ptr(SSL_CTX_new(SSLv23_method()), SSL_CTX_free); + + SSL_CTX_set_options(sslContext.get(), SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION); SSL_CTX_set_mode(sslContext.get(), SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); SSL_CTX_set_session_id_context(sslContext.get(), (const unsigned char *)"Icinga 2", 8);