From e5c63b5ab3ca79178d899c1837d87c4ac990ae05 Mon Sep 17 00:00:00 2001 From: Andrej Shadura Date: Sat, 14 May 2022 03:18:56 +0800 Subject: [PATCH] Enable TLSv1.0 by default OpenSSL 1.1.1 disables TLSv1.0 by default and sets the security level to 2. Some older networks may support for TLSv1.0 and less secure cyphers. Gbp-Pq: Name allow-tlsv1.patch --- src/crypto/tls_openssl.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 07d38e4..97a7fd6 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -1035,6 +1035,13 @@ void * tls_init(const struct tls_config *conf) os_free(data); return NULL; } + +#ifndef EAP_SERVER_TLS + /* Enable TLSv1.0 by default to allow connecting to legacy + * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */ + SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION); +#endif + data->ssl = ssl; if (conf) { data->tls_session_lifetime = conf->tls_session_lifetime;