Attachment #868517 for bug #912315




	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);

	/* Many enterprise PEAP server implementations (e.g. used in large
	 corporations and universities) do not support RFC5746 secure
	 renegotiation, and starting with OpenSSL 3.0,
	 SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL.
	 So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT
	 only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT
	 globally. */

	SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);

	SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);

#ifdef SSL_MODE_NO_AUTO_CHAIN

Return to bug 912315

Lines 1056-1061 void * tls_init(const struct tls_config *conf) Link Here

(-)a/src/crypto/tls_openssl.c (+10 lines)
1056	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);	1056	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
1057	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);	1057	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
1058		1058
		1059	/* Many enterprise PEAP server implementations (e.g. used in large
		1060	corporations and universities) do not support RFC5746 secure
		1061	renegotiation, and starting with OpenSSL 3.0,
		1062	SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL.
		1063	So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT
		1064	only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT
		1065	globally. */
		1066
		1067	SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
		1068
1059	SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);	1069	SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
1060		1070
1061	#ifdef SSL_MODE_NO_AUTO_CHAIN	1071	#ifdef SSL_MODE_NO_AUTO_CHAIN