--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200 +++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200 @@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); ICON_IMAGE load_icon_file(const char *); #endif +#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL + crypto policies */ + #endif /* defined PROTOTYPES_H */ /* end of prototypes.h */ --- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200 +++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200 @@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD return "Invalid protocol version"; return NULL; /* OK */ case CMD_INITIALIZE: - if(section->max_proto_version && section->min_proto_version && - section->max_proto_versionmin_proto_version) + if(section->max_proto_version != USE_DEFAULT_TLS_VERSION + && section->min_proto_version != USE_DEFAULT_TLS_VERSION + && section->max_proto_versionmin_proto_version) return "Invalid protocol version range"; break; case CMD_PRINT_DEFAULTS: @@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD /* sslVersionMax */ switch(cmd) { case CMD_SET_DEFAULTS: - section->max_proto_version=0; /* highest supported */ + section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in + OpenSSL crypto + policies.Do not + override it */ break; case CMD_SET_COPY: section->max_proto_version=new_service_options.max_proto_version; @@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD /* sslVersionMin */ switch(cmd) { case CMD_SET_DEFAULTS: - section->min_proto_version=TLS1_VERSION; + section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in + OpenSSL crypto + policies. Do not + override it */ break; case CMD_SET_COPY: section->min_proto_version=new_service_options.min_proto_version; --- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200 +++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200 @@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio section->ctx=SSL_CTX_new(TLS_client_method()); else /* server mode */ section->ctx=SSL_CTX_new(TLS_server_method()); - if(!SSL_CTX_set_min_proto_version(section->ctx, - section->min_proto_version)) { - s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", - section->min_proto_version); - return 1; /* FAILED */ + + if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { + s_log(LOG_INFO, "Using the default TLS version as specified in \ + OpenSSL crypto policies. Not setting explicitly."); + } else { + if(!SSL_CTX_set_min_proto_version(section->ctx, + section->min_proto_version)) { + s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", + section->min_proto_version); + return 1; /* FAILED */ + } } - if(!SSL_CTX_set_max_proto_version(section->ctx, - section->max_proto_version)) { - s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", - section->max_proto_version); - return 1; /* FAILED */ + + if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { + s_log(LOG_INFO, "Using the default TLS version as specified in \ + OpenSSL crypto policies. Not setting explicitly"); + } else { + if(!SSL_CTX_set_max_proto_version(section->ctx, + section->max_proto_version)) { + s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", + section->max_proto_version); + return 1; /* FAILED */ + } } #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ if(section->option.client)