From 49fda337c980ead599c64009f324a00d8a5689e1 Mon Sep 17 00:00:00 2001
From: Linus Nordberg <linus@nordberg.se>
Date: Tue, 14 Nov 2017 15:45:27 +0100
Subject: Allow TLS versions newer than TLSv1.0.

From radsecproxy commits 025ef1f and be31ab4.
---
 radsecproxy/tlscommon.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'radsecproxy/tlscommon.c')

diff --git a/radsecproxy/tlscommon.c b/radsecproxy/tlscommon.c
index ed6c4bd..97b5914 100644
--- a/radsecproxy/tlscommon.c
+++ b/radsecproxy/tlscommon.c
@@ -202,9 +202,16 @@ static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
     switch (type) {
 #ifdef RADPROT_TLS
     case RAD_TLS:
-	ctx = SSL_CTX_new(TLSv1_method());
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+        /* TLS_method() was introduced in OpenSSL 1.1.0. */
+	ctx = SSL_CTX_new(TLS_method());
+#else
+        /* No TLS_method(), use SSLv23_method() and disable SSLv2 and SSLv3. */
+        ctx = SSL_CTX_new(SSLv23_method());
+        SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
 	break;
 #endif
+#endif  /* RADPROT_TLS */
 #ifdef RADPROT_DTLS
     case RAD_DTLS:
 	ctx = SSL_CTX_new(DTLSv1_method());
-- 
cgit v1.1