From 0fa5dec7d796d23600607abb123c39d00960f166 Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Thu, 9 Jan 2014 21:39:36 +0100 Subject: [PATCH] Secure server to server links were previously hardcoded at SSLv3. This has been fixed to be 'SSLv3 or later'. In practice this means that you will now see a lot more server-to-server links using TLSv1.2. --- src/ssl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index 61e7d26c5..a01ea5258 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -248,13 +248,14 @@ SSL_CTX *init_ctx_client(void) { SSL_CTX *ctx_client; - ctx_client = SSL_CTX_new(SSLv3_client_method()); + ctx_client = SSL_CTX_new(SSLv23_client_method()); if (!ctx_client) { mylog("Failed to do SSL CTX new client"); return NULL; } SSL_CTX_set_default_passwd_cb(ctx_client, ssl_pem_passwd_cb); + SSL_CTX_set_options(ctx_server, SSL_OP_NO_SSLv2); SSL_CTX_set_session_cache_mode(ctx_client, SSL_SESS_CACHE_OFF); if (SSL_CTX_use_certificate_file(ctx_client, SSL_SERVER_CERT_PEM, SSL_FILETYPE_PEM) <= 0) {