Debian 10 effectively overrides our set::ssl::protocols settings

causing UnrealIRCd to only accept SSL/TLS 1.2 and later connections.
We now use SSL_CTX_set_min_proto_version() to set the minimum
protocol version to fix this, only to disable specific SSL/TLS
versions later on via the old API.
It's great that they disabled SSL/TLS <1.2 by default and we have
already been considering doing the same in 2020, laying the
groundwork via set::ssl::outdated-protocols in February 2019.
However, such a chance is unexpected during UnrealIRCd 4.x.

autoconf/m4/unreal.m4

@@ -192,14 +192,34 @@ SAVE_LIBS="$LIBS"
 LIBS="$LIBS $CRYPTOLIB"
 AC_TRY_LINK([#include <openssl/ssl.h>],
 	[SSL_CTX *ctx = NULL; SSL_CTX_set1_curves_list(ctx, "test");],
-	has_curves=1,
-	has_curves=0)
+	has_function=1,
+	has_function=0)
 LIBS="$SAVE_LIBS"
 AC_LANG_POP(C)
-if test $has_curves = 1; then
+if test $has_function = 1; then
 	AC_MSG_RESULT([yes])
 	AC_DEFINE([HAS_SSL_CTX_SET1_CURVES_LIST], [], [Define if ssl library has SSL_CTX_set1_curves_list])
 else
 	AC_MSG_RESULT([no])
 fi
 ])
+
+AC_DEFUN([CHECK_SSL_CTX_SET_MIN_PROTO_VERSION],
+[
+AC_MSG_CHECKING([for SSL_CTX_set_min_proto_version in SSL library])
+AC_LANG_PUSH(C)
+SAVE_LIBS="$LIBS"
+LIBS="$LIBS $CRYPTOLIB"
+AC_TRY_LINK([#include <openssl/ssl.h>],
+	[SSL_CTX *ctx = NULL; SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);],
+	has_function=1,
+	has_function=0)
+LIBS="$SAVE_LIBS"
+AC_LANG_POP(C)
+if test $has_function = 1; then
+	AC_MSG_RESULT([yes])
+	AC_DEFINE([HAS_SSL_CTX_SET_MIN_PROTO_VERSION], [], [Define if ssl library has SSL_CTX_set_min_proto_version])
+else
+	AC_MSG_RESULT([no])
+fi
+])

configure

@@ -8582,9 +8582,9 @@ SSL_CTX *ctx = NULL; SSL_CTX_set1_curves_list(ctx, "test");
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  has_curves=1
+  has_function=1
 else
-  has_curves=0
+  has_function=0
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
@@ -8595,7 +8595,7 @@ ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
-if test $has_curves = 1; then
+if test $has_function = 1; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 
@@ -8606,6 +8606,53 @@ else
 $as_echo "no" >&6; }
 fi
 
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_min_proto_version in SSL library" >&5
+$as_echo_n "checking for SSL_CTX_set_min_proto_version in SSL library... " >&6; }
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+SAVE_LIBS="$LIBS"
+LIBS="$LIBS $CRYPTOLIB"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <openssl/ssl.h>
+int
+main ()
+{
+SSL_CTX *ctx = NULL; SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  has_function=1
+else
+  has_function=0
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS="$SAVE_LIBS"
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+if test $has_function = 1; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAS_SSL_CTX_SET_MIN_PROTO_VERSION /**/" >>confdefs.h
+
+else
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
 # Check whether --enable-dynamic-linking was given.
 if test "${enable_dynamic_linking+set}" = set; then :
   enableval=$enable_dynamic_linking; enable_dynamic_linking=$enableval

configure.ac

@@ -699,6 +699,7 @@ AC_ARG_WITH(system-argon2, [AS_HELP_STRING([--without-system-argon2], [Use bundl
 AC_ARG_WITH(system-cares, [AS_HELP_STRING([--without-system-cares], [Use bundled version instead of system c-ares. Normally autodetected via pkg-config.])], [], [with_system_cares=yes])
 CHECK_SSL
 CHECK_SSL_CTX_SET1_CURVES_LIST
+CHECK_SSL_CTX_SET_MIN_PROTO_VERSION
 AC_ARG_ENABLE(dynamic-linking, [AS_HELP_STRING([--disable-dynamic-linking], [Make the IRCd statically link with shared objects rather than dynamically (noone knows if disabling dynamic linking actually does anything or not)])],
 	[enable_dynamic_linking=$enableval], [enable_dynamic_linking="yes"])
 AS_IF([test $enable_dynamic_linking = "yes"],

include/setup.h.in

@@ -43,6 +43,9 @@
 /* Define if ssl library has SSL_CTX_set1_curves_list */
 #undef HAS_SSL_CTX_SET1_CURVES_LIST
 
+/* Define if ssl library has SSL_CTX_set_min_proto_version */
+#undef HAS_SSL_CTX_SET_MIN_PROTO_VERSION
+
 /* Define to 1 if you have the `bcmp' function. */
 #undef HAVE_BCMP
 

src/ssl.c

@@ -257,6 +257,10 @@ static void setup_dh_params(SSL_CTX *ctx)
 /** Disable SSL/TLS protocols as set by config */
 void disable_ssl_protocols(SSL_CTX *ctx, SSLOptions *ssloptions)
 {
+#ifdef HAS_SSL_CTX_SET_MIN_PROTO_VERSION
+	/* First, we need a starting point... */
+	SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
+#endif
 	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); /* always disable SSLv2 */
 	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); /* always disable SSLv3 */