Blame SOURCES/stunnel-5.56-default-tls-version.patch

e5e615
--- stunnel-5.56/src/prototypes.h.default-tls-version	2020-04-06 11:22:24.480280384 +0200
e5e615
+++ stunnel-5.56/src/prototypes.h	2020-04-06 11:21:05.407597053 +0200
e5e615
@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
e5e615
 ICON_IMAGE load_icon_file(const char *);
e5e615
 #endif
e5e615
 
e5e615
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
e5e615
+                                             crypto policies */
e5e615
+
e5e615
 #endif /* defined PROTOTYPES_H */
e5e615
 
e5e615
 /* end of prototypes.h */
e5e615
--- stunnel-5.56/src/options.c.default-tls-version	2020-04-06 18:58:48.947214149 +0200
e5e615
+++ stunnel-5.56/src/options.c	2020-04-08 15:45:18.093520780 +0200
e5e615
@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD
e5e615
             return "Invalid protocol version";
e5e615
         return NULL; /* OK */
e5e615
     case CMD_INITIALIZE:
e5e615
-        if(section->max_proto_version && section->min_proto_version &&
e5e615
-                section->max_proto_version<section->min_proto_version)
e5e615
+        if(section->max_proto_version != USE_DEFAULT_TLS_VERSION
e5e615
+                && section->min_proto_version != USE_DEFAULT_TLS_VERSION
e5e615
+                && section->max_proto_version<section->min_proto_version)
e5e615
             return "Invalid protocol version range";
e5e615
         break;
e5e615
     case CMD_PRINT_DEFAULTS:
e5e615
@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD
e5e615
     /* sslVersionMax */
e5e615
     switch(cmd) {
e5e615
     case CMD_SET_DEFAULTS:
e5e615
-        section->max_proto_version=0; /* highest supported */
e5e615
+        section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
e5e615
+                                                               OpenSSL crypto
e5e615
+                                                               policies.Do not
e5e615
+                                                               override it */
e5e615
         break;
e5e615
     case CMD_SET_COPY:
e5e615
         section->max_proto_version=new_service_options.max_proto_version;
e5e615
@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD
e5e615
     /* sslVersionMin */
e5e615
     switch(cmd) {
e5e615
     case CMD_SET_DEFAULTS:
e5e615
-        section->min_proto_version=TLS1_VERSION;
e5e615
+        section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
e5e615
+                                                               OpenSSL crypto
e5e615
+                                                               policies. Do not
e5e615
+                                                               override it */
e5e615
         break;
e5e615
     case CMD_SET_COPY:
e5e615
         section->min_proto_version=new_service_options.min_proto_version;
e5e615
--- stunnel-5.56/src/ctx.c.default-tls-version	2019-10-24 10:48:11.000000000 +0200
e5e615
+++ stunnel-5.56/src/ctx.c	2020-04-06 11:16:48.406406794 +0200
e5e615
@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio
e5e615
         section->ctx=SSL_CTX_new(TLS_client_method());
e5e615
     else /* server mode */
e5e615
         section->ctx=SSL_CTX_new(TLS_server_method());
e5e615
-    if(!SSL_CTX_set_min_proto_version(section->ctx,
e5e615
-            section->min_proto_version)) {
e5e615
-        s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
e5e615
-            section->min_proto_version);
e5e615
-        return 1; /* FAILED */
e5e615
+
e5e615
+    if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
e5e615
+        s_log(LOG_INFO, "Using the default TLS version as specified in \
e5e615
+                OpenSSL crypto policies. Not setting explicitly.");
e5e615
+    } else {
e5e615
+        if(!SSL_CTX_set_min_proto_version(section->ctx,
e5e615
+                    section->min_proto_version)) {
e5e615
+            s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
e5e615
+                    section->min_proto_version);
e5e615
+            return 1; /* FAILED */
e5e615
+        }
e5e615
     }
e5e615
-    if(!SSL_CTX_set_max_proto_version(section->ctx,
e5e615
-            section->max_proto_version)) {
e5e615
-        s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
e5e615
-            section->max_proto_version);
e5e615
-        return 1; /* FAILED */
e5e615
+
e5e615
+    if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
e5e615
+        s_log(LOG_INFO, "Using the default TLS version as specified in \
e5e615
+                OpenSSL crypto policies. Not setting explicitly");
e5e615
+    } else {
e5e615
+        if(!SSL_CTX_set_max_proto_version(section->ctx,
e5e615
+                    section->max_proto_version)) {
e5e615
+            s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
e5e615
+                    section->max_proto_version);
e5e615
+            return 1; /* FAILED */
e5e615
+        }
e5e615
     }
e5e615
 #else /* OPENSSL_VERSION_NUMBER<0x10100000L */
e5e615
     if(section->option.client)